[exim] OCSP stapling with multiple keys {ECDSA/RSA}

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Reply to this message
Author: Torsten Tributh
Date:  
To: Exim-users
Subject: [exim] OCSP stapling with multiple keys {ECDSA/RSA}
Hi,
I asked in the past, if OCSP stapling can also be made with a list. This
part of code implementation is still not done for actual openssl or
gnutls implementations.

I found now a way to do it with plain config:

tls_certificate = ecdsa_chain.pem:rsa_chain.pem
tls_privatekey = ecdsa-key.pem:rsa-key.pem
tls_require_ciphers = "Make sure to use only ciphers mentioning RSA or
ECDSA in their name, not the historic ones (except TLS 1.3)"

tls_ocsp_file = ${if
match{$tls_cipher}{RSA}{ocspresponseRSA}{ocspresponseECDSA}}

This works also with the new upcoming TLS 1.3

In the case the ciphers has "*RSA*", we staple the OCSP-response for the
RSA Certificate. In all others case we staple the ECDSA-OCSP-response.
In TLS 1.3 their is no RSA or ECDSA in the ciphername and we staple the
OCSP-ECDSA-response to the first given tls_certificate, which in this
case is also the ECDSA-cert.


--
Torsten

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] Filter behavior when run from shell vs systemd[exim] Wildcards in aliases->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)