OpenSSL: full-chain OCSP stapling. Bug 1466

[users/heiko/exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 273348ac8dfeb033c563f45f05b283fea911ef3e..6cfe0bf63095a0599ea712241cad7d7bb3a3e47b 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -16459,6 +16459,8 @@ and from which pipeline early-connection (before MAIL) SMTP
 commands are acceptable.
 When used, the pipelining saves on roundtrip times.
 
 commands are acceptable.
 When used, the pipelining saves on roundtrip times.
 

+See also the &%hosts_pipe_connect%& smtp transport option.
+

 Currently the option name &"X_PIPE_CONNECT"& is used.
 .wen
 
 Currently the option name &"X_PIPE_CONNECT"& is used.
 .wen
 


@@ -17736,7 +17738,14 @@ larger prime than requested.
 The value of this option is expanded and indicates the source of DH parameters
 to be used by Exim.
 
 The value of this option is expanded and indicates the source of DH parameters
 to be used by Exim.
 

-&*Note: The Exim Maintainers strongly recommend using a filename with site-generated
+.new
+This option is ignored for GnuTLS version 3.6.0 and later.
+The library manages parameter negotiation internally.
+.wen
+
+&*Note: The Exim Maintainers strongly recommend,
+for other TLS library versions,
+using a filename with site-generated

 local DH parameters*&, which has been supported across all versions of Exim.  The
 other specific constants available are a fallback so that even when
 "unconfigured", Exim can offer Perfect Forward Secrecy in older ciphersuites in TLS.
 local DH parameters*&, which has been supported across all versions of Exim.  The
 other specific constants available are a fallback so that even when
 "unconfigured", Exim can offer Perfect Forward Secrecy in older ciphersuites in TLS.


@@ -17841,12 +17850,20 @@ The ordering of the two lists must match.
 
 .new
 The file(s) should be in DER format,
 
 .new
 The file(s) should be in DER format,

-except for GnuTLS 3.6.3 or later when an optional filetype prefix
-can be used.  The prefix must be one of "DER" or "PEM", followed by
+except for GnuTLS 3.6.3 or later
+or for OpenSSL,
+when an optional filetype prefix can be used.
+The prefix must be one of "DER" or "PEM", followed by

 a single space.  If one is used it sets the format for subsequent
 files in the list; the initial format is DER.
 a single space.  If one is used it sets the format for subsequent
 files in the list; the initial format is DER.

-When a PEM format file is used it may contain multiple proofs,
-for multiple certificate chain element proofs under TLS1.3.
+If multiple proofs are wanted, for multiple chain elements
+(this only works under TLS1.3)
+they must be coded as a combined OCSP response.
+
+Although GnuTLS will accept PEM files with multiple separate
+PEM blobs (ie. separate OCSP responses), it sends them in the
+TLS Certificate record interleaved with the certificates of the chain;
+although a GnuTLS client is happy with that, an OpenSSL client is not.

 .wen
 
 .option tls_on_connect_ports main "string list" unset
 .wen
 
 .option tls_on_connect_ports main "string list" unset


@@ -24733,6 +24750,8 @@ When used, the pipelining saves on roundtrip times.
 It also turns SMTP into a client-first protocol
 so combines well with TCP Fast Open.
 
 It also turns SMTP into a client-first protocol
 so combines well with TCP Fast Open.
 

+See also the &%pipelining_connect_advertise_hosts%& main option.
+

 Note:
 When the facility is used, the transport &%helo_data%& option
 will be expanded before the &$sending_ip_address$& variable
 Note:
 When the facility is used, the transport &%helo_data%& option
 will be expanded before the &$sending_ip_address$& variable


@@ -41032,7 +41051,9 @@ Events have names which correspond to the point in process at which they fire.
 The name is placed in the variable &$event_name$& and the event action
 expansion must check this, as it will be called for every possible event type.
 
 The name is placed in the variable &$event_name$& and the event action
 expansion must check this, as it will be called for every possible event type.
 

+.new

 The current list of events is:
 The current list of events is:

+.wen

 .display
 &`dane:fail              after    transport  `& per connection
 &`msg:complete           after    main       `& per message
 .display
 &`dane:fail              after    transport  `& per connection
 &`msg:complete           after    main       `& per message


@@ -41046,6 +41067,7 @@ The current list of events is:
 &`tcp:close              after    transport  `& per connection
 &`tls:cert               before   both       `& per certificate in verification chain
 &`smtp:connect           after    transport  `& per connection
 &`tcp:close              after    transport  `& per connection
 &`tls:cert               before   both       `& per certificate in verification chain
 &`smtp:connect           after    transport  `& per connection

+&`smtp:ehlo              after    transport  `& per connection

 .endd
 New event types may be added in future.
 
 .endd
 New event types may be added in future.
 


@@ -41072,6 +41094,7 @@ with the event type:
 &`msg:host:defer       `& error string
 &`tls:cert             `& verification chain depth
 &`smtp:connect         `& smtp banner
 &`msg:host:defer       `& error string
 &`tls:cert             `& verification chain depth
 &`smtp:connect         `& smtp banner

+&`smtp:ehlo            `& smtp ehlo response

 .endd
 
 The :defer events populate one extra variable: &$event_defer_errno$&.
 .endd
 
 The :defer events populate one extra variable: &$event_defer_errno$&.