Docs: add warning on SNI-dependent certfile expansion needing a good default

author Jeremy Harris <jgh146exb@wizmail.org>

Wed, 12 Oct 2016 12:40:19 +0000 (13:40 +0100)

committer Jeremy Harris <jgh146exb@wizmail.org>

Wed, 12 Oct 2016 12:40:19 +0000 (13:40 +0100)
author Jeremy Harris <jgh146exb@wizmail.org>
Wed, 12 Oct 2016 12:40:19 +0000 (13:40 +0100)
committer Jeremy Harris <jgh146exb@wizmail.org>
Wed, 12 Oct 2016 12:40:19 +0000 (13:40 +0100)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt

index 97df293d50393562042588d43b8d7485cd60291b..45d84571869afdeda6b21ff033d6d85639d5e9e4 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -27537,8 +27537,13 @@ during TLS session handshake, to permit alternative values to be chosen:
  
  Great care should be taken to deal with matters of case, various injection
  attacks in the string (&`../`& or SQL), and ensuring that a valid filename
-can always be referenced; it is important to remember that &$tls_sni$& is
+can always be referenced; it is important to remember that &$tls_in_sni$& is
  arbitrary unverified data provided prior to authentication.
+.new
+Further, the initial cerificate is loaded before SNI is arrived, so
+an expansion for &%tls_certificate%& must have a default which is used
+when &$tls_in_sni$& is empty.
+.wen
  
  The Exim developers are proceeding cautiously and so far no other TLS options
  are re-expanded.
author	Jeremy Harris <jgh146exb@wizmail.org>
	Wed, 12 Oct 2016 12:40:19 +0000 (13:40 +0100)
committer	Jeremy Harris <jgh146exb@wizmail.org>
	Wed, 12 Oct 2016 12:40:19 +0000 (13:40 +0100)