[exim-dev] [Bug 2350] New: OCSP Problem for outgoing mails

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 2350] OCSP stapling, client side, [exim-dev] [Bug 2350] OCSP stapling, client side, [exim-dev] [Bug 2350] OCSP stapling, client side, [exim-dev] [Bug 2350] OCSP stapling, client side, [exim-dev] [Bug 2350] OCSP stapling, client side, [exim-dev] [Bug 2350] OCSP stapling, client side, [exim-dev] [Bug 2350] OCSP stapling, client side, [exim-dev] [Bug 2350] OCSP stapling, client side
Subject: [exim-dev] [Bug 2350] New: OCSP Problem for outgoing mails
https://bugs.exim.org/show_bug.cgi?id=2350

            Bug ID: 2350
           Summary: OCSP Problem for outgoing mails
           Product: Exim
           Version: 4.91
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
          Assignee: jgh146exb@???
          Reporter: torsten@???
                CC: exim-dev@???


Hi,
when I use OCSP-Must-Stable certificates with
the OID setting:
1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05
for the CSR to get a certificate, I must use later use
tls_certificate
tls_privatekey
and
tls_ocsp_file
settings.

If I have not got a valid tls_ocsp_file than the stapling fails and an
increasing amount of mailclients can't connect to the SMTP port, because of
failing TLS verification.
So there is no problem for the incoming way (if you take care of having a valid
staple-file), but what happens when I connect to another SMTP Server and I am
requested to show my certificate?

In the remote_smtp transport section, I am not able to enable stapling.
I get
    option "tls_ocsp_file" unknown
So, I show an OCSP-Must-Staple Certificate, but the OCSP stapled part is
missing. In a way I show an invalid cert. 
Actually it didn't show any problem, but that could change fast, during the
increasing deployment of safer TLS implementations.



Torsten

--
You are receiving this mail because:
You are on the CC list for the bug.