diff options
| author | Wolfgang Breyha <wbreyha@gmx.net> | 2014-03-15 14:16:05 +0000 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-03-15 14:18:16 +0000 |
| commit | e8793bad207763b266bedcb9d859e238b6a3a04e (patch) | |
| tree | 4bbe25c461740cf54a672db822214bc546df9b81 /doc/doc-docbook | |
| parent | 6a43fca1821be6919fe0660f8ee5ef4b07b6ae37 (diff) | |
| parent | 02bf26279e41fa715e74ea45d2a5903635ad5ee1 (diff) | |
Add tls_verify_hosts and tls_try_verify_hosts to smtp transport. Bug 1371
Code by Wolfgang Breyha, docs and testsuite by Jeremy Harris
Diffstat (limited to 'doc/doc-docbook')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index cab1c82dd..ae4d75ecb 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -23027,6 +23027,14 @@ unknown state), opens a new one to the same host, and then tries the delivery in clear. +.option tls_try_verify_hosts smtp "host list&!! unset +.cindex "TLS" "server certificate verification" +.cindex "certificate" "verification of server" +For OpenSSL only, this option gives a list of hosts for which, on encrypted connections, +certificate verification will be tried but need not succeed. +The &%tls_verify_certificates%& option must also be set. + + .option tls_verify_certificates smtp string&!! unset .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" @@ -23041,6 +23049,20 @@ single file if you are using GnuTLS. The values of &$host$& and &$host_address$& are set to the name and address of the server during the expansion of this option. See chapter &<<CHAPTLS>>& for details of TLS. +For back-compatability, or when GnuTLS is used, +if neither tls_verify_hosts nor tls_try_verify_hosts are set +and certificate verification fails the TLS connection is closed. + + +.option tls_verify_hosts smtp "host list&!! unset +.cindex "TLS" "server certificate verification" +.cindex "certificate" "verification of server" +For OpenSSL only, this option gives a list of hosts for which. on encrypted connections, +certificate verification must succeed. +The &%tls_verify_certificates%& option must also be set. +If both this option and &%tls_try_verify_hosts%& are unset +operation is as if this option selected all hosts. + @@ -25942,6 +25964,12 @@ for OpenSSL only (not GnuTLS), a directory, that contains a collection of expected server certificates. The client verifies the server's certificate against this collection, taking into account any revoked certificates that are in the list defined by &%tls_crl%&. +Failure to verify fails the TLS connection unless either of the +&%tls_verify_hosts%& or &%tls_try_verify_hosts%& options are set. + +The &%tls_verify_hosts%& and &%tls_try_verify_hosts%& options restrict +certificate verification to the listed servers. Verification either must +or need not succeed respectively. If &%tls_require_ciphers%& is set on the &(smtp)& transport, it must contain a |