Docs: add note on unusablility of must-staple certs by clients. Bug 2350

author Jeremy Harris <jgh146exb@wizmail.org>

Mon, 15 Jul 2019 09:53:35 +0000 (10:53 +0100)

committer Jeremy Harris <jgh146exb@wizmail.org>

Mon, 15 Jul 2019 09:53:35 +0000 (10:53 +0100)
author Jeremy Harris <jgh146exb@wizmail.org>
Mon, 15 Jul 2019 09:53:35 +0000 (10:53 +0100)
committer Jeremy Harris <jgh146exb@wizmail.org>
Mon, 15 Jul 2019 09:53:35 +0000 (10:53 +0100)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt

index 5463cc1a52b8529389630f138da74b1bfc7bdde8..37ada7514fb783d15f9c219176f624210b20adfe 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -28478,6 +28478,13 @@ transport provide the client with a certificate, which is passed to the server
  if it requests it. If the server is Exim, it will request a certificate only if
  &%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client.
  
+.new
+Do not use a certificate which has the OCSP-must-staple extension,
+for client use (they are usable for server use).
+As TLS has no means for the client to staple before TLS 1.3 it will result
+in failed connections.
+.wen
+
  If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it
  specifies a collection of expected server certificates.
  These may be
author	Jeremy Harris <jgh146exb@wizmail.org>
	Mon, 15 Jul 2019 09:53:35 +0000 (10:53 +0100)
committer	Jeremy Harris <jgh146exb@wizmail.org>
	Mon, 15 Jul 2019 09:53:35 +0000 (10:53 +0100)