git://git.exim.org
/
users
/
jgh
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
GnuTLS: multiple server certs, OCSP stapling. Bug 2092
[users/jgh/exim.git]
/
doc
/
doc-docbook
/
spec.xfpt
diff --git
a/doc/doc-docbook/spec.xfpt
b/doc/doc-docbook/spec.xfpt
index cfee04ccd59fc90c52fe9cbf1d2fff9b326d25d4..5778ce6a81391bf2915aa5d15a2e2b35ca2bf50a 100644
(file)
--- a/
doc/doc-docbook/spec.xfpt
+++ b/
doc/doc-docbook/spec.xfpt
@@
-17133,8
+17133,13
@@
use when sending messages as a client, you must set the &%tls_certificate%&
option in the relevant &(smtp)& transport.
.new
option in the relevant &(smtp)& transport.
.new
+&*Note*&: If you use filenames based on IP addresses, change the list
+separator in the usual way to avoid confusion under IPv6.
+
&*Note*&: Under current versions of OpenSSL, when a list of more than one
file is used, the &$tls_in_ourcert$& veriable is unreliable.
&*Note*&: Under current versions of OpenSSL, when a list of more than one
file is used, the &$tls_in_ourcert$& veriable is unreliable.
+
+&*Note*&: OCSP stapling is not usable when a list of more than one file is used.
.wen
If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then
.wen
If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then
@@
-17276,6
+17281,12
@@
Certificate Authority.
Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
+.new
+For GnuTLS 3.5.6 or later the expanded value of this option can be a list
+of files, to match a list given for the &%tls_certificate%& option.
+The ordering of the two lists must match.
+.wen
+
.option tls_on_connect_ports main "string list" unset
.cindex SSMTP
.option tls_on_connect_ports main "string list" unset
.cindex SSMTP
@@
-27137,7
+27148,7
@@
let the Exim Maintainers know and we'll likely use it).
.next
.new
With GnuTLS, if an explicit list is used for the &%tls_privatekey%& main option
.next
.new
With GnuTLS, if an explicit list is used for the &%tls_privatekey%& main option
-main option, it must be ordered to match the
%&
tls_certificate%& list.
+main option, it must be ordered to match the
&%
tls_certificate%& list.
.wen
.next
Some other recently added features may only be available in one or the other.
.wen
.next
Some other recently added features may only be available in one or the other.
@@
-31327,6
+31338,7
@@
address and some time-based randomizing information. The &%prvs%& expansion
item creates a signed address, and the &%prvscheck%& expansion item checks one.
The syntax of these expansion items is described in section
&<<SECTexpansionitems>>&.
item creates a signed address, and the &%prvscheck%& expansion item checks one.
The syntax of these expansion items is described in section
&<<SECTexpansionitems>>&.
+The validity period on signed addresses is seven days.
As an example, suppose the secret per-address keys are stored in an MySQL
database. A query to look up the key for an address could be defined as a macro
As an example, suppose the secret per-address keys are stored in an MySQL
database. A query to look up the key for an address could be defined as a macro
git://git.exim.org / users / jgh / exim.git / blobdiff