Docs: add note on unusablility of must-staple certs by clients. Bug 2350

author: Jeremy Harris <jgh146exb@wizmail.org> 2019-07-15 10:53:35 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2019-07-15 10:53:35 +0100
commit: e41242f9612adaedadd5f3607b202f32ca086b4f (patch)
tree: 633e623071ff07945048d1eea2b1ae138933220b /doc/doc-docbook/spec.xfpt
parent: 467c84b2115a098caeaf044fcd4d2473f236edb6 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 5463cc1a5..37ada7514 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -28478,6 +28478,13 @@ transport provide the client with a certificate, which is passed to the server
 if it requests it. If the server is Exim, it will request a certificate only if
 &%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client.
 
+.new
+Do not use a certificate which has the OCSP-must-staple extension,
+for client use (they are usable for server use).
+As TLS has no means for the client to staple before TLS 1.3 it will result
+in failed connections.
+.wen
+
 If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it
 specifies a collection of expected server certificates.
 These may be
author	Jeremy Harris <jgh146exb@wizmail.org>	2019-07-15 10:53:35 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2019-07-15 10:53:35 +0100
commit	e41242f9612adaedadd5f3607b202f32ca086b4f (patch)
tree	633e623071ff07945048d1eea2b1ae138933220b /doc/doc-docbook/spec.xfpt
parent	467c84b2115a098caeaf044fcd4d2473f236edb6 (diff)