X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/1afce5bb5d0b9dec4fdf3cd8b6f339fc8d09339d..8fdf20fd84ec88d8f8a250f56d2b4d29ba946392:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index a93b39474..1dfa55228 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -9374,6 +9374,27 @@ ${extract{Z}{A=... B=...}{$value} fail } This forces an expansion failure (see section &<>&); {<&'string2'&>} must be present for &"fail"& to be recognized. +.new +.vitem "&*${extract json{*&<&'key'&>&*}{*&<&'string1'&>&*}{*&<&'string2'&>&*}&&& + {*&<&'string3'&>&*}}*&" +.cindex "expansion" "extracting from JSON object" +.cindex JSON expansions +The key and <&'string1'&> are first expanded separately. Leading and trailing +white space is removed from the key (but not from any of the strings). The key +must not be empty and must not consist entirely of digits. +The expanded <&'string1'&> must be of the form: +.display +{ <&'"key1"'&> : <&'value1'&> , <&'"key2"'&> , <&'value2'&> ... } +.endd +.vindex "&$value$&" +The braces, commas and colons, and the quoting of the member name are required; +the spaces are optional. +Matching of the key against the member names is done case-sensitively. +. XXX should be a UTF-8 compare + +The results of matching are handled as above. +.wen + .vitem "&*${extract{*&<&'number'&>&*}{*&<&'separators'&>&*}&&& {*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&" @@ -9406,6 +9427,19 @@ yields &"99"&. Two successive separators mean that the field between them is empty (for example, the fifth field above). +.new +.vitem "&*${extract json{*&<&'number'&>&*}}&&& + {*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&" +.cindex "expansion" "extracting from JSON array" +.cindex JSON expansions +The <&'number'&> argument must consist entirely of decimal digits, +apart from leading and trailing white space, which is ignored. + +Field selection and result handling is as above; +there is no choice of field separator. +.wen + + .vitem &*${filter{*&<&'string'&>&*}{*&<&'condition'&>&*}}*& .cindex "list" "selecting by condition" .cindex "expansion" "selecting from list by condition" @@ -27773,7 +27807,7 @@ session with a client, you must set either &%tls_verify_hosts%& or apply to all TLS connections. For any host that matches one of these options, Exim requests a certificate as part of the setup of the TLS session. The contents of the certificate are verified by comparing it with a list of -expected certificates. +expected trust-anchors or certificates. These may be the system default set (depending on library version), an explicit file or, depending on library version, a directory, identified by @@ -27790,6 +27824,9 @@ openssl x509 -hash -noout -in /cert/file .endd where &_/cert/file_& contains a single certificate. +There is no checking of names of the client against the certificate +Subject Name or Subject Alternate Names. + The difference between &%tls_verify_hosts%& and &%tls_try_verify_hosts%& is what happens if the client does not supply a certificate, or if the certificate does not match any of the certificates in the collection named by @@ -27951,6 +27988,11 @@ The &%tls_verify_hosts%& and &%tls_try_verify_hosts%& options restrict certificate verification to the listed servers. Verification either must or need not succeed respectively. +The &%tls_verify_cert_hostnames%& option lists hosts for which additional +checks are made: that the host name (the one in the DNS A record) +is valid for the certificate. +The option defaults to always checking. + The &(smtp)& transport has two OCSP-related options: &%hosts_require_ocsp%&; a host-list for which a Certificate Status is requested and required for the connection to proceed. The default @@ -28256,7 +28298,7 @@ this is appropriate for a single system, using a self-signed certificate. DANE-TA usage is effectively declaring a specific CA to be used; this might be a private CA or a public, well-known one. A private CA at simplest is just a self-signed certificate (with certain -attributes) which is used to sign cerver certificates, but running one securely +attributes) which is used to sign server certificates, but running one securely does require careful arrangement. With DANE-TA, as implemented in Exim and commonly in other MTAs, the server TLS handshake must transmit the entire certificate chain from CA to server-certificate.