git://git.exim.org
/
users
/
jgh
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Constification
[users/jgh/exim.git]
/
doc
/
doc-docbook
/
spec.xfpt
diff --git
a/doc/doc-docbook/spec.xfpt
b/doc/doc-docbook/spec.xfpt
index 8ae08e78709ba0790db3f183570b3e83ca9fffad..8fde6397c442f19f0bb7073adc3b1b5d83a07d33 100644
(file)
--- a/
doc/doc-docbook/spec.xfpt
+++ b/
doc/doc-docbook/spec.xfpt
@@
-509,7
+509,7
@@
message to the &'exim-dev'& mailing list and have it discussed.
.cindex "distribution" "https site"
The master distribution site for the Exim distribution is
.display
.cindex "distribution" "https site"
The master distribution site for the Exim distribution is
.display
-
.
url(https://downloads.exim.org/)
+
&
url(https://downloads.exim.org/)
.endd
The service is available over HTTPS, HTTP and FTP.
We encourage people to migrate to HTTPS.
.endd
The service is available over HTTPS, HTTP and FTP.
We encourage people to migrate to HTTPS.
@@
-27773,7
+27773,7
@@
session with a client, you must set either &%tls_verify_hosts%& or
apply to all TLS connections. For any host that matches one of these options,
Exim requests a certificate as part of the setup of the TLS session. The
contents of the certificate are verified by comparing it with a list of
apply to all TLS connections. For any host that matches one of these options,
Exim requests a certificate as part of the setup of the TLS session. The
contents of the certificate are verified by comparing it with a list of
-expected certificates.
+expected
trust-anchors or
certificates.
These may be the system default set (depending on library version),
an explicit file or,
depending on library version, a directory, identified by
These may be the system default set (depending on library version),
an explicit file or,
depending on library version, a directory, identified by
@@
-27790,6
+27790,9
@@
openssl x509 -hash -noout -in /cert/file
.endd
where &_/cert/file_& contains a single certificate.
.endd
where &_/cert/file_& contains a single certificate.
+There is no checking of names of the client against the certificate
+Subject Name or Subject Alternate Names.
+
The difference between &%tls_verify_hosts%& and &%tls_try_verify_hosts%& is
what happens if the client does not supply a certificate, or if the certificate
does not match any of the certificates in the collection named by
The difference between &%tls_verify_hosts%& and &%tls_try_verify_hosts%& is
what happens if the client does not supply a certificate, or if the certificate
does not match any of the certificates in the collection named by
@@
-27951,6
+27954,11
@@
The &%tls_verify_hosts%& and &%tls_try_verify_hosts%& options restrict
certificate verification to the listed servers. Verification either must
or need not succeed respectively.
certificate verification to the listed servers. Verification either must
or need not succeed respectively.
+The &%tls_verify_cert_hostnames%& option lists hosts for which additional
+checks are made: that the host name (the one in the DNS A record)
+is valid for the certificate.
+The option defaults to always checking.
+
The &(smtp)& transport has two OCSP-related options:
&%hosts_require_ocsp%&; a host-list for which a Certificate Status
is requested and required for the connection to proceed. The default
The &(smtp)& transport has two OCSP-related options:
&%hosts_require_ocsp%&; a host-list for which a Certificate Status
is requested and required for the connection to proceed. The default
@@
-28125,7
+28133,7
@@
The Apache web-server was for a long time the canonical guide, so their
documentation is a good place to start; their SSL module's Introduction
document is currently at
.display
documentation is a good place to start; their SSL module's Introduction
document is currently at
.display
-
.
url(https://httpd.apache.org/docs/current/ssl/ssl_intro.html)
+
&
url(https://httpd.apache.org/docs/current/ssl/ssl_intro.html)
.endd
and their FAQ is at
.display
.endd
and their FAQ is at
.display
@@
-28256,7
+28264,7
@@
this is appropriate for a single system, using a self-signed certificate.
DANE-TA usage is effectively declaring a specific CA to be used; this might be a private CA or a public,
well-known one.
A private CA at simplest is just a self-signed certificate (with certain
DANE-TA usage is effectively declaring a specific CA to be used; this might be a private CA or a public,
well-known one.
A private CA at simplest is just a self-signed certificate (with certain
-attributes) which is used to sign
c
erver certificates, but running one securely
+attributes) which is used to sign
s
erver certificates, but running one securely
does require careful arrangement.
With DANE-TA, as implemented in Exim and commonly in other MTAs,
the server TLS handshake must transmit the entire certificate chain from CA to server-certificate.
does require careful arrangement.
With DANE-TA, as implemented in Exim and commonly in other MTAs,
the server TLS handshake must transmit the entire certificate chain from CA to server-certificate.
@@
-40089,6
+40097,8
@@
with the event type:
.display
&`dane:fail `& failure reason
&`msg:delivery `& smtp confirmation message
.display
&`dane:fail `& failure reason
&`msg:delivery `& smtp confirmation message
+&`msg:fail:internal `& failure reason
+&`msg:fail:delivery `& smtp error message
&`msg:rcpt:host:defer `& error string
&`msg:rcpt:defer `& error string
&`msg:host:defer `& error string
&`msg:rcpt:host:defer `& error string
&`msg:rcpt:defer `& error string
&`msg:host:defer `& error string