channel binding notes

[users/heiko/exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 55ccb1632b5727a8bac1935abbe7b14da873621e..4c79e87cf81aae44eb0bbd798ddd53f058d7ee79 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -28181,6 +28181,10 @@ supplied by the server.
 .option server_channelbinding gsasl boolean false
 Do not set this true and rely on the properties
 without consulting a cryptographic engineer.
 .option server_channelbinding gsasl boolean false
 Do not set this true and rely on the properties
 without consulting a cryptographic engineer.

+. Unsure what that's about.  It might be the "Triple Handshake"
+. vulnerability; cf. https://www.mitls.org/pages/attacks/3SHAKE
+. If so, we're ok, requiring Extended Master Secret if TLS
+. Session Resumption was used.

 
 Some authentication mechanisms are able to use external context at both ends
 of the session to bind the authentication to that context, and fail the
 
 Some authentication mechanisms are able to use external context at both ends
 of the session to bind the authentication to that context, and fail the


@@ -38315,7 +38319,7 @@ flagged with &`->`& instead of &`=>`&. When two or more messages are delivered
 down a single SMTP connection, an asterisk follows the
 .new
 remote IP address (and port if enabled)
 down a single SMTP connection, an asterisk follows the
 .new
 remote IP address (and port if enabled)

-.ewn
+.wen

 in the log lines for the second and subsequent messages.
 When two or more messages are delivered down a single TLS connection, the
 DNS and some TLS-related information logged for the first message delivered
 in the log lines for the second and subsequent messages.
 When two or more messages are delivered down a single TLS connection, the
 DNS and some TLS-related information logged for the first message delivered