[exim-cvs] Move OCSP out of EXPERIMENTAL

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Exim Git Commits Mailing List
Dátum:  
Címzett: exim-cvs
Tárgy: [exim-cvs] Move OCSP out of EXPERIMENTAL
Gitweb: http://git.exim.org/exim.git/commitdiff/f2de3a3339ee08778dffb98057f1c19bdcf86374
Commit:     f2de3a3339ee08778dffb98057f1c19bdcf86374
Parent:     7437665e6205079041af7f56bcc3bee0a20c6d5c
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Fri May 23 15:50:07 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Fri May 23 15:50:07 2014 +0100


    Move OCSP out of EXPERIMENTAL
---
 doc/doc-docbook/spec.xfpt                    |  103 ++++++++++++++++++++++++++
 doc/doc-txt/ChangeLog                        |    2 +
 doc/doc-txt/NewStuff                         |    9 ++-
 doc/doc-txt/experimental-spec.txt            |   91 -----------------------
 src/src/EDITME                               |   12 ++-
 src/src/config.h.defaults                    |    3 +-
 src/src/deliver.c                            |    4 +-
 src/src/exim.c                               |    6 +-
 src/src/globals.c                            |    2 +-
 src/src/globals.h                            |    2 +-
 src/src/readconf.c                           |    2 +-
 src/src/tls-gnu.c                            |   15 ++--
 src/src/tls-openssl.c                        |   44 ++++++------
 src/src/transports/smtp.c                    |    6 +-
 src/src/transports/smtp.h                    |    2 +-
 test/scripts/5600-OCSP-OpenSSL/REQUIRES      |    2 +-
 test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES |    2 +-
 test/scripts/5650-OCSP-GnuTLS/REQUIRES       |    2 +-
 test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES  |    2 +-
 19 files changed, 167 insertions(+), 144 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 46c83ad..990df62 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -13222,6 +13222,7 @@ listed in more than one group.
 .row &%tls_crl%&                     "certificate revocation list"
 .row &%tls_dh_max_bits%&             "clamp D-H bit count suggestion"
 .row &%tls_dhparam%&                 "DH parameters for server"
+.row &%tls_ocsp_file%&               "location of server certificate status proof"
 .row &%tls_on_connect_ports%&        "specify SSMTP (SMTPS) ports"
 .row &%tls_privatekey%&              "location of server private key"
 .row &%tls_remember_esmtp%&          "don't reset after starting TLS"
@@ -16341,6 +16342,13 @@ prior to the 4.80 release, as Debian used to patch Exim to raise the minimum
 acceptable bound from 1024 to 2048.



+.option tls_ocsp_file main string&!! unset
+This option
+must if set expand to the absolute path to a file which contains a current
+status proof for the server's certificate, as obtained from the
+Certificate Authority.
+
+
.option tls_on_connect_ports main "string list" unset
This option specifies a list of incoming SSMTP (aka SMTPS) ports that should
operate the obsolete SSMTP (SMTPS) protocol, where a TLS session is immediately
@@ -23005,6 +23013,18 @@ hard failure if required. See also &%hosts_try_auth%&, and chapter
&<<CHAPSMTPAUTH>>& for details of authentication.


+.option hosts_request_ocsp smtp "host list&!!" *
+.cindex "TLS" "requiring for certain servers"
+Exim will request a Certificate Status on a
+TLS session for any host that matches this list.
+&%tls_verify_certificates%& should also be set for the transport.
+
+.option hosts_require_ocsp smtp "host list&!!" unset
+.cindex "TLS" "requiring for certain servers"
+Exim will request, and check for a valid Certificate Status being given, on a
+TLS session for any host that matches this list.
+&%tls_verify_certificates%& should also be set for the transport.
+
.option hosts_require_tls smtp "host list&!!" unset
.cindex "TLS" "requiring for certain servers"
Exim will insist on using a TLS session when delivering to any host that
@@ -26164,12 +26184,79 @@ certificate is supplied, &$tls_in_peerdn$& is empty.
.cindex "TLS" "revoked certificates"
.cindex "revocation list"
.cindex "certificate" "revocation list"
+.cindex "OCSP" "stapling"
Certificate issuing authorities issue Certificate Revocation Lists (CRLs) when
certificates are revoked. If you have such a list, you can pass it to an Exim
server using the global option called &%tls_crl%& and to an Exim client using
an identically named option for the &(smtp)& transport. In each case, the value
of the option is expanded and must then be the name of a file that contains a
CRL in PEM format.
+The downside is that clients have to periodically re-download a potentially huge
+file from every certificate authority the know of.
+
+The way with most moving parts at query time is Online Certificate
+Status Protocol (OCSP), where the client verifies the certificate
+against an OCSP server run by the CA. This lets the CA track all
+usage of the certs. It requires running software with access to the
+private key of the CA, to sign the responses to the OCSP queries. OCSP
+is based on HTTP and can be proxied accordingly.
+
+The only widespread OCSP server implementation (known to this writer)
+comes as part of OpenSSL and aborts on an invalid request, such as
+connecting to the port and then disconnecting. This requires
+re-entering the passphrase each time some random client does this.
+
+The third way is OCSP Stapling; in this, the server using a certificate
+issued by the CA periodically requests an OCSP proof of validity from
+the OCSP server, then serves it up inline as part of the TLS
+negotiation. This approach adds no extra round trips, does not let the
+CA track users, scales well with number of certs issued by the CA and is
+resilient to temporary OCSP server failures, as long as the server
+starts retrying to fetch an OCSP proof some time before its current
+proof expires. The downside is that it requires server support.
+
+Unless Exim is built with the support disabled,
+or with GnuTLS earlier than version 3.1.3,
+support for OCSP stapling is included.
+
+There is a global option called &%tls_ocsp_file%&.
+The file specified therein is expected to be in DER format, and contain
+an OCSP proof. Exim will serve it as part of the TLS handshake. This
+option will be re-expanded for SNI, if the &%tls_certificate%& option
+contains &`tls_in_sni`&, as per other TLS options.
+
+Exim does not at this time implement any support for fetching a new OCSP
+proof. The burden is on the administrator to handle this, outside of
+Exim. The file specified should be replaced atomically, so that the
+contents are always valid. Exim will expand the &%tls_ocsp_file%& option
+on each connection, so a new file will be handled transparently on the
+next connection.
+
+When built with OpenSSL Exim will check for a valid next update timestamp
+in the OCSP proof; if not present, or if the proof has expired, it will be
+ignored.
+
+For the client to be able to verify the stapled OCSP the server must
+also supply, in its stapled information, any intermediate
+certificates for the chain leading to the OCSP proof from the signer
+of the server certificate. There may be zero or one such. These
+intermediate certificates should be added to the server OCSP stapling
+file named by &%tls_ocsp_file%&.
+
+Note that the proof only covers the terminal server certificate,
+not any of the chain from CA to it.
+
+.code
+ A helper script "ocsp_fetch.pl" for fetching a proof from a CA
+ OCSP server is supplied. The server URL may be included in the
+ server certificate, if the CA is helpful.
+
+ One failure mode seen was the OCSP Signer cert expiring before the end
+ of validity of the OCSP proof. The checking done by Exim/OpenSSL
+ noted this as invalid overall, but the re-fetch script did not.
+.endd
+
+


.section "Configuring an Exim client to use TLS" "SECID185"
@@ -26225,6 +26312,19 @@ The &%tls_verify_hosts%& and &%tls_try_verify_hosts%& options restrict
certificate verification to the listed servers. Verification either must
or need not succeed respectively.

+The &(smtp)& transport has two OCSP-related options:
+&%hosts_require_ocsp%&; a host-list for which a Certificate Status
+is requested and required for the connection to proceed. The default
+value is empty.
+&%hosts_request_ocsp%&; a host-list for which (additionally)
+a Certificate Status is requested (but not necessarily verified). The default
+value is "*" meaning that requests are made unless configured
+otherwise.
+
+The host(s) should also be in &%hosts_require_tls%&, and
+&%tls_verify_certificates%& configured for the transport,
+for OCSP to be relevant.
+
If
&%tls_require_ciphers%& is set on the &(smtp)& transport, it must contain a
list of permitted cipher suites. If either of these checks fails, delivery to
@@ -26310,6 +26410,9 @@ during TLS session handshake, to permit alternative values to be chosen:
.next
.vindex "&%tls_verify_certificates%&"
&%tls_verify_certificates%&
+.next
+.vindex "&%tls_ocsp_file%&"
+&%tls_verify_certificates%&
.endlist

 Great care should be taken to deal with matters of case, various injection
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 22be343..ee56623 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -121,6 +121,8 @@ JH/23 The PRDR feature is moved from being Experimental into the mainline.
 TL/11 Bug 1119: fix memory allocation in string_printing2().  Patch from
       Christian Aistleitner.


+JH/24 The OCSP stapling feature is moved from Experimental into the mainline.
+

 Exim version 4.82
 -----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index ac06ebf..f3e2dc1 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -39,8 +39,7 @@ Version 4.83
  7. New command-line option -C for exiqgrep to specify alternate exim.conf
     file when searching the queue.


- 8. EXPERIMENTAL_OCSP now supports GnuTLS also, if you have version 3.1.3
-    or later of that.
+ 8. OCSP now supports GnuTLS also, if you have version 3.1.3 or later of that.


9. Support for DNSSEC on outbound connections.

@@ -51,6 +50,12 @@ Version 4.83

11. PRDR is now supported dy default.

+12. OCSP stapling is now supported by default.
+
+13. If built with the EXPERIMENTAL_DSN feature enabled, Exim will output
+    Delivery Status Notification messages in MIME format, and negociate
+    DSN features per RFC 3461.
+


Version 4.82
------------
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 7872f24..6657f63 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -6,97 +6,6 @@ about experimental features, all of which are unstable and
liable to incompatible change.


-OCSP Stapling support
---------------------------------------------------------------
-
-X.509 PKI certificates expire and can be revoked; to handle this, the
-clients need some way to determine if a particular certificate, from a
-particular Certificate Authority (CA), is still valid. There are three
-main ways to do so.
-
-The simplest way is to serve up a Certificate Revocation List (CRL) with
-an ordinary web-server, regenerating the CRL before it expires. The
-downside is that clients have to periodically re-download a potentially
-huge file from every certificate authority it knows of.
-
-The way with most moving parts at query time is Online Certificate
-Status Protocol (OCSP), where the client verifies the certificate
-against an OCSP server run by the CA. This lets the CA track all
-usage of the certs. This requires running software with access to the
-private key of the CA, to sign the responses to the OCSP queries. OCSP
-is based on HTTP and can be proxied accordingly.
-
-The only widespread OCSP server implementation (known to this writer)
-comes as part of OpenSSL and aborts on an invalid request, such as
-connecting to the port and then disconnecting. This requires
-re-entering the passphrase each time some random client does this.
-
-The third way is OCSP Stapling; in this, the server using a certificate
-issued by the CA periodically requests an OCSP proof of validity from
-the OCSP server, then serves it up inline as part of the TLS
-negotiation. This approach adds no extra round trips, does not let the
-CA track users, scales well with number of certs issued by the CA and is
-resilient to temporary OCSP server failures, as long as the server
-starts retrying to fetch an OCSP proof some time before its current
-proof expires. The downside is that it requires server support.
-
-If Exim is built with EXPERIMENTAL_OCSP and it was built with OpenSSL,
-or with GnuTLS 3.1.3 or later, then it gains a new global option:
-"tls_ocsp_file".
-
-The file specified therein is expected to be in DER format, and contain
-an OCSP proof. Exim will serve it as part of the TLS handshake. This
-option will be re-expanded for SNI, if the tls_certificate option
-contains $tls_sni, as per other TLS options.
-
-Exim does not at this time implement any support for fetching a new OCSP
-proof. The burden is on the administrator to handle this, outside of
-Exim. The file specified should be replaced atomically, so that the
-contents are always valid. Exim will expand the "tls_ocsp_file" option
-on each connection, so a new file will be handled transparently on the
-next connection.
-
-Under OpenSSL Exim will check for a valid next update timestamp in the
-OCSP proof; if not present, or if the proof has expired, it will be
-ignored.
-
-Also, given EXPERIMENTAL_OCSP, the smtp transport gains two options:
-- "hosts_require_ocsp"; a host-list for which an OCSP Stapling
-is requested and required for the connection to proceed. The default
-value is empty.
-- "hosts_request_ocsp"; a host-list for which (additionally) an OCSP
-Stapling is requested (but not necessarily verified). The default
-value is "*" meaning that requests are made unless configured
-otherwise.
-
-The host(s) should also be in "hosts_require_tls", and
-"tls_verify_certificates" configured for the transport.
-
-For the client to be able to verify the stapled OCSP the server must
-also supply, in its stapled information, any intermediate
-certificates for the chain leading to the OCSP proof from the signer
-of the server certificate. There may be zero or one such. These
-intermediate certificates should be added to the server OCSP stapling
-file (named by tls_ocsp_file).
-
-Note that the proof only covers the terminal server certificate,
-not any of the chain from CA to it.
-
-At this point in time, we're gathering feedback on use, to determine if
-it's worth adding complexity to the Exim daemon to periodically re-fetch
-OCSP files and somehow handling multiple files.
-
- A helper script "ocsp_fetch.pl" for fetching a proof from a CA
- OCSP server is supplied. The server URL may be included in the
- server certificate, if the CA is helpful.
-
- One failure mode seen was the OCSP Signer cert expiring before the end
- of validity of the OCSP proof. The checking done by Exim/OpenSSL
- noted this as invalid overall, but the re-fetch script did not.
-
-
-
-
Brightmail AntiSpam (BMI) suppport
--------------------------------------------------------------

diff --git a/src/src/EDITME b/src/src/EDITME
index 0d31ba5..d576fd7 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -416,6 +416,13 @@ EXIM_MONITOR=eximon.bin
# DISABLE_PRDR=yes

#------------------------------------------------------------------------------
+# Uncomment the following line to remove OCSP stapling support in TLS,
+# from Exim. Note it can only be supported when built with
+# GnuTLS 3.1.3 or later, or OpenSSL
+
+# DISABLE_OCSP=yes
+
+#------------------------------------------------------------------------------
# By default, Exim has support for checking the AD bit in a DNS response, to
# determine if DNSSEC validation was successful. If your system libraries
# do not support that bit, then set DISABLE_DNSSEC to "yes"
@@ -459,11 +466,6 @@ EXIM_MONITOR=eximon.bin
# CFLAGS += -I/opt/brightmail/bsdk-6.0/include
# LDFLAGS += -lxml2_single -lbmiclient_single -L/opt/brightmail/bsdk-6.0/lib

-# Uncomment the following line to add OCSP stapling support in TLS, if Exim
-# was built using OpenSSL, or with GnuTLS 3.1.3 or later.
-
-# EXPERIMENTAL_OCSP=yes
-
 # Uncomment the following line to add DMARC checking capability, implemented
 # using libopendmarc libraries.
 # EXPERIMENTAL_DMARC=yes
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index 0bb97a2..ba4615c 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -41,6 +41,8 @@ it's a default value. */
 #define DELIVER_IN_BUFFER_SIZE     8192
 #define DELIVER_OUT_BUFFER_SIZE    8192
 #define DISABLE_DKIM
+#define DISABLE_PRDR
+#define DISABLE_OCSP
 #define DISABLE_DNSSEC
 #define DISABLE_D_OPTION


@@ -169,7 +171,6 @@ it's a default value. */
 #define EXPERIMENTAL_DCC
 #define EXPERIMENTAL_DMARC
 #define EXPERIMENTAL_DSN
-#define EXPERIMENTAL_OCSP
 #define EXPERIMENTAL_PROXY
 #define EXPERIMENTAL_REDIS
 #define EXPERIMENTAL_SPF
diff --git a/src/src/deliver.c b/src/src/deliver.c
index 68c0487..70f6a7a 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -3019,7 +3019,7 @@ while (!done)
     (void) tls_import_cert(ptr, &addr->ourcert);
       break;


-      #ifdef EXPERIMENTAL_OCSP
+      #ifndef DISABLE_OCSP
       case '4':
       addr->ocsp = OCSP_NOT_REQ;
       if (*ptr)
@@ -4167,7 +4167,7 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++)
       *ptr++ = 0;
         rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer);
     }
-      # ifdef EXPERIMENTAL_OCSP
+      #ifndef DISABLE_OCSP
       if (addr->ocsp > OCSP_NOT_REQ)
     {
     ptr = big_buffer;
diff --git a/src/src/exim.c b/src/src/exim.c
index 1435a0a..517b543 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -808,6 +808,9 @@ fprintf(f, "Support for:");
 #ifndef DISABLE_PRDR
   fprintf(f, " PRDR");
 #endif
+#ifndef DISABLE_OCSP
+  fprintf(f, " OCSP");
+#endif
 #ifdef EXPERIMENTAL_SPF
   fprintf(f, " Experimental_SPF");
 #endif
@@ -823,9 +826,6 @@ fprintf(f, "Support for:");
 #ifdef EXPERIMENTAL_DMARC
   fprintf(f, " Experimental_DMARC");
 #endif
-#ifdef EXPERIMENTAL_OCSP
-  fprintf(f, " Experimental_OCSP");
-#endif
 #ifdef EXPERIMENTAL_PROXY
   fprintf(f, " Experimental_Proxy");
 #endif
diff --git a/src/src/globals.c b/src/src/globals.c
index f8166aa..b3d2ab8 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -150,7 +150,7 @@ that's the interop problem which has been observed: GnuTLS suggesting a higher
 bit-count as "NORMAL" (2432) and Thunderbird dropping connection. */
 int     tls_dh_max_bits        = 2236;
 uschar *tls_dhparam            = NULL;
-#if defined(EXPERIMENTAL_OCSP)
+#ifndef DISABLE_OCSP
 uschar *tls_ocsp_file          = NULL;
 #endif
 BOOL    tls_offered            = FALSE;
diff --git a/src/src/globals.h b/src/src/globals.h
index c2ab99b..cf9b61e 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -114,7 +114,7 @@ extern uschar *tls_channelbinding_b64; /* string of base64 channel binding */
 extern uschar *tls_crl;                /* CRL File */
 extern int     tls_dh_max_bits;        /* don't accept higher lib suggestions */
 extern uschar *tls_dhparam;            /* DH param file */
-#if defined(EXPERIMENTAL_OCSP)
+#ifndef DISABLE_OCSP
 extern uschar *tls_ocsp_file;          /* OCSP stapling proof file */
 #endif
 extern BOOL    tls_offered;            /* Server offered TLS */
diff --git a/src/src/readconf.c b/src/src/readconf.c
index 11f7184..fb14763 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -439,7 +439,7 @@ static optionlist optionlist_config[] = {
   { "tls_crl",                  opt_stringptr,   &tls_crl },
   { "tls_dh_max_bits",          opt_int,         &tls_dh_max_bits },
   { "tls_dhparam",              opt_stringptr,   &tls_dhparam },
-# if defined(EXPERIMENTAL_OCSP)
+# ifndef DISABLE_OCSP
   { "tls_ocsp_file",            opt_stringptr,   &tls_ocsp_file },
 # endif
   { "tls_on_connect_ports",     opt_stringptr,   &tls_in.on_connect_ports },
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index af43686..e85095d 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -43,7 +43,7 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 #if GNUTLS_VERSION_NUMBER >= 0x020c00
 # include <gnutls/pkcs11.h>
 #endif
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
 # include <gnutls/ocsp.h>
 #endif


@@ -216,7 +216,7 @@ static void exim_gnutls_logger_cb(int level, const char *message);

static int exim_sni_handling_cb(gnutls_session_t session);

-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
gnutls_datum_t * ocsp_response);
#endif
@@ -809,7 +809,7 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate)

/* Set the OCSP stapling server info */

-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
 if (  !host    /* server */
    && tls_ocsp_file
    )
@@ -1485,7 +1485,7 @@ return 0;




-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP

static int
server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
@@ -1705,7 +1705,7 @@ smtp_transport_options_block *ob = v_ob;
int rc;
const char *error;
exim_gnutls_state_st *state = NULL;
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
NULL, host->name, host->address, NULL) == OK;
BOOL request_ocsp = require_ocsp ? TRUE
@@ -1787,7 +1787,8 @@ else
gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
}

-#ifdef EXPERIMENTAL_OCSP    /* since GnuTLS 3.1.3 */
+#ifndef DISABLE_OCSP
+            /* supported since GnuTLS 3.1.3 */
 if (request_ocsp)
   {
   DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
@@ -1827,7 +1828,7 @@ if (state->verify_requirement != VERIFY_NONE &&
     !verify_certificate(state, &error))
   return tls_error(US"certificate verification failed", error, state->host);


-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
if (require_ocsp)
{
DEBUG(D_tls)
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 1d6b914..05af3db 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -22,13 +22,13 @@ functions from the OpenSSL library. */
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/rand.h>
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
# include <openssl/ocsp.h>
#endif

-#ifdef EXPERIMENTAL_OCSP
-#define EXIM_OCSP_SKEW_SECONDS (300L)
-#define EXIM_OCSP_MAX_AGE (-1L)
+#ifndef DISABLE_OCSP
+# define EXIM_OCSP_SKEW_SECONDS (300L)
+# define EXIM_OCSP_MAX_AGE (-1L)
#endif

 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
@@ -88,7 +88,7 @@ static BOOL reexpand_tls_files_for_sni = FALSE;
 typedef struct tls_ext_ctx_cb {
   uschar *certificate;
   uschar *privatekey;
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
   BOOL is_server;
   union {
     struct {
@@ -127,7 +127,7 @@ setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL opt
 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
 #endif
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
 static int tls_server_stapling_cb(SSL *s, void *arg);
 #endif


@@ -213,7 +213,7 @@ return rsa_key;


 /* Extreme debug
-#if defined(EXPERIMENTAL_OCSP)
+#ifndef DISABLE_OCSP
 void
 x509_store_dump_cert_s_names(X509_STORE * store)
 {
@@ -295,7 +295,7 @@ else if (X509_STORE_CTX_get_error_depth(x509ctx) != 0)
   {
   DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n",
      X509_STORE_CTX_get_error_depth(x509ctx), txt);
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
   if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
     {    /* client, wanting stapling  */
     /* Add the server cert's signing chain as the one
@@ -486,7 +486,7 @@ return TRUE;




-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
 /*************************************************
 *       Load OCSP information into state         *
 *************************************************/
@@ -620,7 +620,7 @@ bad:
     }
 return;
 }
-#endif    /*EXPERIMENTAL_OCSP*/
+#endif    /*!DISABLE_OCSP*/




@@ -682,7 +682,7 @@ if (expanded != NULL && *expanded != 0)
       "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
   }


-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL)
{
if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
@@ -772,7 +772,7 @@ SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
if (cbinfo->server_cipher_list)
SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
if (cbinfo->u_ocsp.server.file)
{
SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
@@ -801,7 +801,7 @@ return SSL_TLSEXT_ERR_OK;



-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP

 /*************************************************
 *        Callback to handle OCSP Stapling        *
@@ -985,7 +985,7 @@ if(!(bs = OCSP_response_get1_basic(rsp)))
 OCSP_RESPONSE_free(rsp);
 return i;
 }
-#endif    /*EXPERIMENTAL_OCSP*/
+#endif    /*!DISABLE_OCSP*/




@@ -1011,7 +1011,7 @@ Returns:          OK/DEFER/FAIL
 static int
 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
   uschar *privatekey,
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
   uschar *ocsp_file,
 #endif
   address_item *addr, tls_ext_ctx_cb ** cbp)
@@ -1024,7 +1024,7 @@ tls_ext_ctx_cb *cbinfo;
 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
 cbinfo->certificate = certificate;
 cbinfo->privatekey = privatekey;
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
 if ((cbinfo->is_server = host==NULL))
   {
   cbinfo->u_ocsp.server.file = ocsp_file;
@@ -1126,7 +1126,7 @@ if (rc != OK) return rc;
 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
 if (host == NULL)        /* server */
   {
-# ifdef EXPERIMENTAL_OCSP
+# ifndef DISABLE_OCSP
   /* We check u_ocsp.server.file, not server.response, because we care about if
   the option exists, not what the current expansion might be, as SNI might
   change the certificate and OCSP file in use between now and the time the
@@ -1142,7 +1142,7 @@ if (host == NULL)        /* server */
   SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
   SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
   }
-# ifdef EXPERIMENTAL_OCSP
+# ifndef DISABLE_OCSP
 else            /* client */
   if(ocsp_file)        /* wanting stapling */
     {
@@ -1379,7 +1379,7 @@ if (tls_in.active >= 0)
 the error. */


 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
     tls_ocsp_file,
 #endif
     NULL, &server_static_cbinfo);
@@ -1549,7 +1549,7 @@ uschar *expciphers;
 X509* server_cert;
 int rc;
 static uschar cipherbuf[256];
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
 BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
   NULL, host->name, host->address, NULL) == OK;
 BOOL request_ocsp = require_ocsp ? TRUE
@@ -1559,7 +1559,7 @@ BOOL request_ocsp = require_ocsp ? TRUE


 rc = tls_init(&client_ctx, host, NULL,
     ob->tls_certificate, ob->tls_privatekey,
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
     (void *)(long)request_ocsp,
 #endif
     addr, &client_static_cbinfo);
@@ -1647,7 +1647,7 @@ if (ob->tls_sni)
     }
   }


-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
 /* Request certificate status at connection-time.  If the server
 does OCSP stapling we will get the callback (set in tls_init()) */
 if (request_ocsp)
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 38dcfa0..db424fa 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -102,14 +102,14 @@ optionlist smtp_transport_options[] = {
       (void *)offsetof(smtp_transport_options_block, hosts_override) },
   { "hosts_randomize",      opt_bool,
       (void *)offsetof(smtp_transport_options_block, hosts_randomize) },
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_OCSP)
+#if defined(SUPPORT_TLS) && !defined(DISABLE_OCSP)
   { "hosts_request_ocsp",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_request_ocsp) },
 #endif
   { "hosts_require_auth",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_require_auth) },
 #ifdef SUPPORT_TLS
-# if defined EXPERIMENTAL_OCSP
+# ifndef DISABLE_OCSP
   { "hosts_require_ocsp",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_require_ocsp) },
 # endif
@@ -203,7 +203,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
 #ifndef DISABLE_PRDR
   NULL,                /* hosts_try_prdr */
 #endif
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
   US"*",               /* hosts_request_ocsp */
   NULL,                /* hosts_require_ocsp */
 #endif
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index a481943..dd41e1f 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -24,7 +24,7 @@ typedef struct {
 #ifndef DISABLE_PRDR
   uschar *hosts_try_prdr;
 #endif
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
   uschar *hosts_request_ocsp;
   uschar *hosts_require_ocsp;
 #endif
diff --git a/test/scripts/5600-OCSP-OpenSSL/REQUIRES b/test/scripts/5600-OCSP-OpenSSL/REQUIRES
index 3d15ede..73788d3 100644
--- a/test/scripts/5600-OCSP-OpenSSL/REQUIRES
+++ b/test/scripts/5600-OCSP-OpenSSL/REQUIRES
@@ -1,3 +1,3 @@
 support OpenSSL
-support Experimental_OCSP
+support OCSP
 running IPv4
diff --git a/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES b/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES
index 77fbd5b..492da8f 100644
--- a/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES
+++ b/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES
@@ -1,4 +1,4 @@
 support OpenSSL
-support Experimental_OCSP
+support OCSP
 support Experimental_TPDA
 running IPv4
diff --git a/test/scripts/5650-OCSP-GnuTLS/REQUIRES b/test/scripts/5650-OCSP-GnuTLS/REQUIRES
index 78746ca..70ce2de 100644
--- a/test/scripts/5650-OCSP-GnuTLS/REQUIRES
+++ b/test/scripts/5650-OCSP-GnuTLS/REQUIRES
@@ -1,3 +1,3 @@
 support GnuTLS
-support Experimental_OCSP
+support OCSP
 running IPv4
diff --git a/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES b/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES
index 2650bd9..3798079 100644
--- a/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES
+++ b/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES
@@ -1,4 +1,4 @@
 support GnuTLS
-support Experimental_OCSP
+support OCSP
 support Experimental_TPDA
 running IPv4