Re: [exim] Advertising TLS

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Viktor Dukhovni
Datum:  
To: exim-users
Betreff: Re: [exim] Advertising TLS
On Tue, Nov 03, 2015 at 04:41:30PM +0000, Jeremy Harris wrote:
> On 03/11/15 16:34, Daryl Richards wrote:
> > Their certificate should still work for SSL/TLS on the
> > server, as there's no real difference between that and a web server
> > SSL/TLS cert...
>
> apart from the Certificate Usage field...


I think youe mean X.509 "keyUsage" and "extendedKeyUsage". The
latter distinguishes between email signing, TLS server auth, and
TLS client auth.

    https://www.openssl.org/docs/manmaster/apps/x509v3_config.html


    Key Usage.


    Key usage is a multi valued extension consisting of a list of
    names of the permitted key usages.


    The supported names are: digitalSignature, nonRepudiation,
    keyEncipherment, dataEncipherment, keyAgreement, keyCertSign,
    cRLSign, encipherOnly and decipherOnly.


    Extended Key Usage.


    This extensions consists of a list of usages indicating
    purposes for which the certificate public key can be used
    for,


    These can either be object short names of the dotted
    numerical form of OIDs. While any OID can be used only
    certain values make sense. In particular the following
    PKIX, NS and MS values are meaningful:


     Value                  Meaning
     -----                  -------
     serverAuth             SSL/TLS Web Server Authentication.
     clientAuth             SSL/TLS Web Client Authentication.
     codeSigning            Code signing.
     emailProtection        E-mail Protection (S/MIME).
     timeStamping           Trusted Timestamping
     msCodeInd              Microsoft Individual Code Signing (authenticode)
     msCodeCom              Microsoft Commercial Code Signing (authenticode)
     msCTLSign              Microsoft Trust List Signing
     msEFS                  Microsoft Encrypted File System


-- 
    Viktor.