https://bugs.exim.org/show_bug.cgi?id=2352
Bug ID: 2352
Summary: Enforce must-staple cert checks
Product: Exim
Version: 4.91
Hardware: All
OS: All
Status: NEW
Severity: wishlist
Priority: low
Component: TLS
Assignee: jgh146exb@???
Reporter: jgh146exb@???
CC: exim-dev@???
RFC 7633 defines a cert extension saying that use of it must be accompanied
by cert-status ("OCSP stapling") if a client requests stapling. This applies
for the leaf-cert if any cert in the chain has the extension. Lacking
stapling,
the chain must be regarded as invalid.
Exim should code those checks, if the TLS library version does not.
It is unclear what the situation for client certs is. Pre-TLS1.3 cannot do
a server requesting stapling from the client, but TLS1.3 can (though it also
is not clear if libraries support that yet).
It is unclear whether, under TLS1.3, every chain element must be checked for
associated status or only the leaf.
--
You are receiving this mail because:
You are on the CC list for the bug.
