[exim] OCSP stapling with multiple keys {ECDSA/RSA}

Top Page

Reply to this message
Author: Torsten Tributh
Date:  
To: Exim-users
Subject: [exim] OCSP stapling with multiple keys {ECDSA/RSA}
Hi,
I asked in the past, if OCSP stapling can also be made with a list. This
part of code implementation is still not done for actual openssl or
gnutls implementations.

I found now a way to do it with plain config:

tls_certificate = ecdsa_chain.pem:rsa_chain.pem
tls_privatekey = ecdsa-key.pem:rsa-key.pem
tls_require_ciphers = "Make sure to use only ciphers mentioning RSA or
ECDSA in their name, not the historic ones (except TLS 1.3)"

tls_ocsp_file = ${if
match{$tls_cipher}{RSA}{ocspresponseRSA}{ocspresponseECDSA}}

This works also with the new upcoming TLS 1.3

In the case the ciphers has "*RSA*", we staple the OCSP-response for the
RSA Certificate. In all others case we staple the ECDSA-OCSP-response.
In TLS 1.3 their is no RSA or ECDSA in the ciphername and we staple the
OCSP-ECDSA-response to the first given tls_certificate, which in this
case is also the ECDSA-cert.


--
Torsten