diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2016-10-12 13:40:19 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2016-10-12 13:40:19 +0100 |
| commit | 4233fe0a33ed8dba34764472af7ac224321cb53d (patch) | |
| tree | 2568f1f245e130553a4b950aeac0968f2801884b | |
| parent | 8e6c4db10e5b9bc2fa89a7b5d38fcf12bb03fd2f (diff) | |
Docs: add warning on SNI-dependent certfile expansion needing a good default
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 97df293d5..45d845718 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -27537,8 +27537,13 @@ during TLS session handshake, to permit alternative values to be chosen: Great care should be taken to deal with matters of case, various injection attacks in the string (&`../`& or SQL), and ensuring that a valid filename -can always be referenced; it is important to remember that &$tls_sni$& is +can always be referenced; it is important to remember that &$tls_in_sni$& is arbitrary unverified data provided prior to authentication. +.new +Further, the initial cerificate is loaded before SNI is arrived, so +an expansion for &%tls_certificate%& must have a default which is used +when &$tls_in_sni$& is empty. +.wen The Exim developers are proceeding cautiously and so far no other TLS options are re-expanded. |