Re: [exim] OCSP stapling failure with letsencrypt

On 29/10/2016 13:37, Jeremy Harris wrote:
> On 27/10/16 21:09, Renaud Allard wrote:
>> In openssl source, you can see that the call should be something like:
>> OCSP_basic_verify(bs, verify_other, store, verify_flags);
>
> That's overstating the case, "Can be". The question is, when is
> is appropriate and safe from a security standpoint to verify
> the OCSP proof using an alternate set-of-trust-anchors?
>

If you specify a certificate to be trusted, then you assume the
responsibility of the certificate you specified. It is your
configuration, you don't "must" add a "third-party" certificate if you
don't want to.
Here, this is how letsencrypt operates, so there is not much choice if
you want any kind of OCSP stapling with them.
Asking if adding the certificate is safe is about the same as asking if
letsencrypt is safe (or not).
The thing is, more and more people are now using letsencrypt and even
switching from other providers to go there. And currently, exim doesn't
let you do stapling with letsencrypt.