git://git.exim.org
/
users
/
jgh
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Docs: add warning on SNI-dependent certfile expansion needing a good default
[users/jgh/exim.git]
/
doc
/
doc-docbook
/
spec.xfpt
diff --git
a/doc/doc-docbook/spec.xfpt
b/doc/doc-docbook/spec.xfpt
index 97df293d50393562042588d43b8d7485cd60291b..45d84571869afdeda6b21ff033d6d85639d5e9e4 100644
(file)
--- a/
doc/doc-docbook/spec.xfpt
+++ b/
doc/doc-docbook/spec.xfpt
@@
-27537,8
+27537,13
@@
during TLS session handshake, to permit alternative values to be chosen:
Great care should be taken to deal with matters of case, various injection
attacks in the string (&`../`& or SQL), and ensuring that a valid filename
Great care should be taken to deal with matters of case, various injection
attacks in the string (&`../`& or SQL), and ensuring that a valid filename
-can always be referenced; it is important to remember that &$tls_sni$& is
+can always be referenced; it is important to remember that &$tls_
in_
sni$& is
arbitrary unverified data provided prior to authentication.
arbitrary unverified data provided prior to authentication.
+.new
+Further, the initial cerificate is loaded before SNI is arrived, so
+an expansion for &%tls_certificate%& must have a default which is used
+when &$tls_in_sni$& is empty.
+.wen
The Exim developers are proceeding cautiously and so far no other TLS options
are re-expanded.
The Exim developers are proceeding cautiously and so far no other TLS options
are re-expanded.