summaryrefslogtreecommitdiff
path: root/doc/doc-docbook
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2016-05-04 14:48:41 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2016-05-04 14:48:41 +0100
commit23bb69826c8d600ce4a268ad27e14b0390e540c8 (patch)
tree24fb48e5aba9e8fa2625b106ca07f05720e59bb0 /doc/doc-docbook
parent789f8a4f4046120b7ae2aafa45f7f45c3ae4c8f5 (diff)
TLS: when tls_certificates unset, generate a selfsigned cert
Diffstat (limited to 'doc/doc-docbook')
-rw-r--r--doc/doc-docbook/spec.xfpt24
1 files changed, 18 insertions, 6 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index ddb0001a5..ba32403d6 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -16843,8 +16843,8 @@ of the STARTTLS command to set up an encrypted session is advertised in
response to EHLO only to those client hosts that match this option. See
chapter &<<CHAPTLS>>& for details of Exim's support for TLS.
Note that the default value requires that a certificate be supplied
-using the &%tls_certificate%& option. If no certificate is available then
-the &%tls_advertise_hosts%& option should be set empty.
+using the &%tls_certificate%& option. If TLS support for incoming connections
+is not required the &%tls_advertise_hosts%& option should be set empty.
.option tls_certificate main string&!! unset
@@ -16865,6 +16865,11 @@ if the OpenSSL build supports TLS extensions and the TLS client sends the
Server Name Indication extension, then this option and others documented in
&<<SECTtlssni>>& will be re-expanded.
+.new
+If this option is unset or empty a fresh self-signed certificate will be
+generated for every connection.
+.wen
+
.option tls_crl main string&!! unset
.cindex "TLS" "server certificate revocation list"
.cindex "certificate" "revocation list for server"
@@ -26958,10 +26963,17 @@ with the error
If a STARTTLS command is issued within an existing TLS session, it is
rejected with a 554 error code.
-To enable TLS operations on a server, you must set &%tls_advertise_hosts%& to
-match some hosts. You can, of course, set it to * to match all hosts.
-However, this is not all you need to do. TLS sessions to a server won't work
-without some further configuration at the server end.
+To enable TLS operations on a server, the &%tls_advertise_hosts%& option
+must be set to match some hosts. The default is * which matches all hosts.
+
+.new
+If this is all you do, TLS encryption will be enabled but not authentication -
+meaning that the peer has no assurance it is actually you he is talking to.
+You gain protection from a passive sniffer listening on the wire but not
+from someone able to intercept the communication.
+.wen
+
+Further protection requires some further configuration at the server end.
It is rumoured that all existing clients that support TLS/SSL use RSA
encryption. To make this work you need to set, in the server,