git://git.exim.org
/
exim.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
b220576
)
Docs: add warning on OCSP must-staple certs vs. client-cert use.
author
Jeremy Harris
<jgh146exb@wizmail.org>
Sun, 13 Jan 2019 17:11:18 +0000
(17:11 +0000)
committer
Jeremy Harris
<jgh146exb@wizmail.org>
Sun, 13 Jan 2019 17:14:57 +0000
(17:14 +0000)
doc/doc-docbook/spec.xfpt
patch
|
blob
|
history
diff --git
a/doc/doc-docbook/spec.xfpt
b/doc/doc-docbook/spec.xfpt
index 7d4dfbbe70797b752f5acc0da899cf77254a09dc..d21a718572711faf26f89bb7b0815897dd0865e1 100644
(file)
--- a/
doc/doc-docbook/spec.xfpt
+++ b/
doc/doc-docbook/spec.xfpt
@@
-28202,6
+28202,15
@@
checks are made: that the host name (the one in the DNS A record)
is valid for the certificate.
The option defaults to always checking.
is valid for the certificate.
The option defaults to always checking.
+.new
+Do not use a client certificate that contains an "OCSP Must-Staple" extension.
+TLS 1.2 and below does not support client-side OCSP stapling, and
+(as of writing) the TLS libraries do not provide for it even with
+TLS 1.3.
+Be careful when using the same certificate for server- and
+client-certificate for this reason.
+.wen
+
The &(smtp)& transport has two OCSP-related options:
&%hosts_require_ocsp%&; a host-list for which a Certificate Status
is requested and required for the connection to proceed. The default
The &(smtp)& transport has two OCSP-related options:
&%hosts_require_ocsp%&; a host-list for which a Certificate Status
is requested and required for the connection to proceed. The default