Gitweb:
https://git.exim.org/exim.git/commitdiff/a9ea625141da4f2829506717fbb6abbcbf2fea0c
Commit: a9ea625141da4f2829506717fbb6abbcbf2fea0c
Parent: b220576b3ba5396af6b3e0f45739f269079f8fc5
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Jan 13 17:11:18 2019 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sun Jan 13 17:14:57 2019 +0000
Docs: add warning on OCSP must-staple certs vs. client-cert use.
---
doc/doc-docbook/spec.xfpt | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 7d4dfbb..d21a718 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -28202,6 +28202,15 @@ checks are made: that the host name (the one in the DNS A record)
is valid for the certificate.
The option defaults to always checking.
+.new
+Do not use a client certificate that contains an "OCSP Must-Staple" extension.
+TLS 1.2 and below does not support client-side OCSP stapling, and
+(as of writing) the TLS libraries do not provide for it even with
+TLS 1.3.
+Be careful when using the same certificate for server- and
+client-certificate for this reason.
+.wen
+
The &(smtp)& transport has two OCSP-related options:
&%hosts_require_ocsp%&; a host-list for which a Certificate Status
is requested and required for the connection to proceed. The default
