[exim-dev] [Bug 2350] OCSP stapling, client side

Startseite
Nachricht löschen
Nachricht beantworten
Autor: admin
Datum:  
To: exim-dev
Alte Treads: [exim-dev] [Bug 2350] New: OCSP Problem for outgoing mails
Betreff: [exim-dev] [Bug 2350] OCSP stapling, client side
https://bugs.exim.org/show_bug.cgi?id=2350

--- Comment #2 from Jeremy Harris <jgh146exb@???> ---
I note that the original RFC for stapling, 6066, only talks about it in terms
of the client requesting and the server supplying certificate status.
https://tools.ietf.org/html/rfc6066 Section 8.

Also the OpenSSL manpage for SSL_CTX_set_tlsext_status_cb() only describes
use in that direction, as does the GnuTLS docs page on OCSP stapling.

https://www.openssl.org/docs/manmaster/man3/SSL_set_tlsext_status_ocsp_resp.html
https://www.gnutls.org/manual/html_node/OCSP-stapling.html

It may well be that client-certs are second class citizens in TLS1.2, and the
best recourse is to use limited-lifetime ones. In TLS1.3 however, RFC 8446
section 4.4.2.1 says that the server can request stapling by the client. It
remains to be seen what library support there may be.

--
You are receiving this mail because:
You are on the CC list for the bug.