summaryrefslogtreecommitdiff
path: root/doc/doc-docbook/spec.xfpt
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2020-08-19 21:09:04 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2020-08-20 00:00:22 +0100
commit7044dd8fd62e215572ecf5a2c7f1bb9581cf6628 (patch)
treebcca106e4834b86f3fce79503768eff86441edb0 /doc/doc-docbook/spec.xfpt
parent7f83b348ccf4cd815e9758ab9ca1012e66324e9d (diff)
DANE: force SNI to use $domain. Bug 2265
Note: this is not a complete fix for the issue
Diffstat (limited to 'doc/doc-docbook/spec.xfpt')
-rw-r--r--doc/doc-docbook/spec.xfpt14
1 files changed, 12 insertions, 2 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 37bfeb3f3..ab13a427b 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -25761,7 +25761,11 @@ See &<<SECTresumption>>& for details.
.cindex "TLS" SNI
.cindex SNI "setting in client"
.vindex "&$tls_sni$&"
-If this option is set then it sets the $tls_out_sni variable and causes any
+If this option is set
+.new
+and the connection is not DANE-validated
+.wen
+then it sets the $tls_out_sni variable and causes any
TLS session to pass this value as the Server Name Indication extension to
the remote side, which can be used by the remote side to select an appropriate
certificate and private key for the session.
@@ -29395,6 +29399,11 @@ nothing more to it. Choosing a sensible value not derived insecurely is the
only point of caution. The &$tls_out_sni$& variable will be set to this string
for the lifetime of the client connection (including during authentication).
+.new
+If DAVE validated the connection attempt then the value of the &%tls_sni%& option
+is forced to the domain part of the recipient address.
+.wen
+
Except during SMTP client sessions, if &$tls_in_sni$& is set then it is a string
received from a client.
It can be logged with the &%log_selector%& item &`+tls_sni`&.
@@ -29692,7 +29701,7 @@ by (a) is thought to be smaller than that of the set of root CAs.
It also allows the server to declare (implicitly) that connections to it should use TLS. An MITM could simply
fail to pass on a server's STARTTLS.
-DANE scales better than having to maintain (and side-channel communicate) copies of server certificates
+DANE scales better than having to maintain (and communicate via side-channel) copies of server certificates
for every possible target server. It also scales (slightly) better than having to maintain on an SMTP
client a copy of the standard CAs bundle. It also means not having to pay a CA for certificates.
@@ -29837,6 +29846,7 @@ If DANE is requested and useable (see above) the following transport options are
tls_verify_certificates
tls_crl
tls_verify_cert_hostnames
+ tls_sni
.endd
If DANE is not usable, whether requested or not, and CA-anchored