[exim-dev] [Bug 1664] OSCP stapling with GnuTLS results in d…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1664] OSCP stapling with GnuTLS results in dropped connections
https://bugs.exim.org/show_bug.cgi?id=1664

--- Comment #8 from Git Commit <git@???> ---
Git commit:
http://git.exim.org/exim.git/commitdiff/82d14d6a7ecbaf515d7feb30c351c92a4b429f43

commit 82d14d6a7ecbaf515d7feb30c351c92a4b429f43
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Aug 2 14:33:56 2015 +0100
Commit:     Jeremy Harris <jgh146exb@???>
CommitDate: Sun Aug 2 14:33:56 2015 +0100


    Docs: add notes on library version limitations on OCSP stapling.  Bug 1664
---
 doc/doc-docbook/spec.xfpt | 8 +++++++-
 doc/doc-txt/ChangeLog     | 4 ++++
 2 files changed, 11 insertions(+), 1 deletion(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index e1eaf3f..69a810c 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -16668,6 +16668,10 @@ must if set expand to the absolute path to a file
which contains a current
status proof for the server's certificate, as obtained from the
Certificate Authority.

+.new
+Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
+.wen
+

.option tls_on_connect_ports main "string list" unset
.cindex SSMTP
@@ -26754,7 +26758,9 @@ starts retrying to fetch an OCSP proof some time before
its current
proof expires. The downside is that it requires server support.

Unless Exim is built with the support disabled,
-or with GnuTLS earlier than version 3.1.3,
+.new
+or with GnuTLS earlier than version 3.3.16 / 3.4.8
+.wen
support for OCSP stapling is included.

There is a global option called &%tls_ocsp_file%&.
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 654361a..45eea03 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -4,6 +4,10 @@ Change log file for Exim from version 4.21

 Exim version 4.87
 -----------------
+JH/01 Bug 1664: Disable OCSP for GnuTLS library versions at/before 3.3.16
+      and 3.4.4 - once the server is enabled to respond to an OCSP request
+      it does even when not requested, resulting in a stapling non-aware
+      client dropping the TLS connection.



Exim version 4.86

--
You are receiving this mail because:
You are on the CC list for the bug.