Author: Torsten Tributh Date: To: Exim-users Subject: [exim] OCSP stapling with multiple keys {ECDSA/RSA}
Hi,
I asked in the past, if OCSP stapling can also be made with a list. This
part of code implementation is still not done for actual openssl or
gnutls implementations.
I found now a way to do it with plain config:
tls_certificate = ecdsa_chain.pem:rsa_chain.pem
tls_privatekey = ecdsa-key.pem:rsa-key.pem
tls_require_ciphers = "Make sure to use only ciphers mentioning RSA or
ECDSA in their name, not the historic ones (except TLS 1.3)"
In the case the ciphers has "*RSA*", we staple the OCSP-response for the
RSA Certificate. In all others case we staple the ECDSA-OCSP-response.
In TLS 1.3 their is no RSA or ECDSA in the ciphername and we staple the
OCSP-ECDSA-response to the first given tls_certificate, which in this
case is also the ECDSA-cert.