[exim-dev] [Bug 2352] New: Enforce must-staple cert checks

Startseite
Nachricht löschen
Nachricht beantworten
Autor: admin
Datum:  
To: exim-dev
Neue Treads: [exim-dev] [Bug 2352] Enforce must-staple cert checks
Betreff: [exim-dev] [Bug 2352] New: Enforce must-staple cert checks
https://bugs.exim.org/show_bug.cgi?id=2352

            Bug ID: 2352
           Summary: Enforce must-staple cert checks
           Product: Exim
           Version: 4.91
          Hardware: All
                OS: All
            Status: NEW
          Severity: wishlist
          Priority: low
         Component: TLS
          Assignee: jgh146exb@???
          Reporter: jgh146exb@???
                CC: exim-dev@???


RFC 7633 defines a cert extension saying that use of it must be accompanied
by cert-status ("OCSP stapling") if a client requests stapling. This applies
for the leaf-cert if any cert in the chain has the extension. Lacking
stapling,
the chain must be regarded as invalid.

Exim should code those checks, if the TLS library version does not.

It is unclear what the situation for client certs is. Pre-TLS1.3 cannot do
a server requesting stapling from the client, but TLS1.3 can (though it also
is not clear if libraries support that yet).

It is unclear whether, under TLS1.3, every chain element must be checked for
associated status or only the leaf.

--
You are receiving this mail because:
You are on the CC list for the bug.