Docs: add warning on OCSP must-staple certs vs. client-cert use.

author: Jeremy Harris <jgh146exb@wizmail.org> 2019-01-13 17:11:18 +0000
committer: Jeremy Harris <jgh146exb@wizmail.org> 2019-01-13 17:14:57 +0000
commit: a9ea625141da4f2829506717fbb6abbcbf2fea0c (patch)
tree: a8f68d8f63bf685381da01068151e85ff8f71c2e /doc/doc-docbook
parent: b220576b3ba5396af6b3e0f45739f269079f8fc5 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 7d4dfbbe7..d21a71857 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -28202,6 +28202,15 @@ checks are made: that the host name (the one in the DNS A record)
 is valid for the certificate.
 The option defaults to always checking.
 
+.new
+Do not use a client certificate that contains an "OCSP Must-Staple" extension.
+TLS 1.2 and below does not support client-side OCSP stapling, and
+(as of writing) the TLS libraries do not provide for it even with
+TLS 1.3.
+Be careful when using the same certificate for server- and
+client-certificate for this reason.
+.wen
+
 The &(smtp)& transport has two OCSP-related options:
 &%hosts_require_ocsp%&; a host-list for which a Certificate Status
 is requested and required for the connection to proceed.  The default
author	Jeremy Harris <jgh146exb@wizmail.org>	2019-01-13 17:11:18 +0000
committer	Jeremy Harris <jgh146exb@wizmail.org>	2019-01-13 17:14:57 +0000
commit	a9ea625141da4f2829506717fbb6abbcbf2fea0c (patch)
tree	a8f68d8f63bf685381da01068151e85ff8f71c2e /doc/doc-docbook
parent	b220576b3ba5396af6b3e0f45739f269079f8fc5 (diff)