[exim-dev] OCSP Stapling support in experimental_ocsp branch

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-dev
Subject: [exim-dev] OCSP Stapling support in experimental_ocsp branch
Unless anyone objects, I'd like to merge in the experimental_ocsp branch
which I've just pushed.

It adds OCSP Stapling to Exim.

Like SNI support, it's most likely to be of use on the Submission port.
It integrates cleanly with SNI.

Documentation of what this is and why it's useful has been added to
experimental-spec.txt.

See:
http://git.exim.org/exim.git/blob/experimental_ocsp:/doc/doc-txt/experimental-spec.txt
https://github.com/Exim/exim/blob/experimental_ocsp/doc/doc-txt/experimental-spec.txt

There's no automatic maintenance, it assumes only one cert in the OCSP
file, etc.

For testing, in my certificate authority index dir, I ran:

openssl ocsp \
-index index.txt -CA globnixCA3.pem -rsigner globnixCA3.pem \
-rkey private/globnixCA3-key.pem \
-ndays 14 \
-port 4444

I then ran:

openssl ocsp \
-issuer globnixCA3.pem -nonce -CAfile globnixCA3.pem \
-url http://localhost:4444/ -serial 0x79 -respout fred

where 0x79 comes from my submission port cert. I put the file "fred"
into place as tls_ocsp_file.

For production usage, this would need a script keeping it up-to-date.
Possibly Exim as a daemon should be periodically refreshing this
automatically; that sort of question is why this is EXPERIMENTAL_OCSP.

Is there anyone running Exim for a large population of users who might
test this? I just have myself and my long-suffering wife.

-Phil