OpenSSL: better handling of $tls_{in,out}_certificate_verified under resumption

[exim.git] / doc / doc-txt / experimental-spec.txt

diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 211841f3f0e02dd552519d8539cc365f8959e40d..aa7046e58f9b8bb1398eb1795f7a44d0b62cf134 100644 (file)
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -993,15 +993,16 @@ Observability:
  New log_selector "tls_resumption", appends an asterisk to the tls_cipher "X="
  element.
 
- Variables $tls_{in,out}_resumption have bit 0-4 indicating respectively
+ Variables $tls_{in,out}_resumption have bits 0-4 indicating respectively
  support built, client requested ticket, client offered session,
  server issued ticket, resume used.  A suitable decode list is provided
  in the builtin macro _RESUME_DECODE for ${listextract {}{}}.
 
 Issues:
  In a resumed session:
-  $tls_{in,out}_certificate_verified will be unset (undler OpenSSL)
-  verify = certificate will be false (undler OpenSSL)
+  $tls_{in,out}_certificate_verified will be set, and verify = certificate
+    will be true, when verify failed but tls_try_verify_hosts allowed the
+    connection (under OpenSSL)
   $tls_{in,out}_cipher will have values different to the original (under GnuTLS)
   $tls_{in,out}_ocsp will be "not requested" or "no response"