diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2013-03-24 21:49:12 +0000 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2013-03-25 22:42:48 +0000 |
commit | f5d786885721c374cc22a1f1311ca01408a496fd (patch) | |
tree | 528ec5ecb56fc077445855d16014bc9a9c86d967 /doc/doc-txt | |
parent | 26e72755c101f59e24735e9ca9a320d5f1ebc2b7 (diff) |
OCSP-stapling enhancement and testing.
Server:
Honor environment variable as well as running_in_test_harness in permitting bogus staplings
Update server tests
Add "-ocsp" option to client-ssl.
Server side: add verification of stapled status.
First cut server-mode ocsp testing.
Fix some uninitialized ocsp-related data.
Client (new):
Verify stapling using only the chain that verified the server cert, not any acceptable chain.
Add check for multiple responses in a stapling, which is not handled
Refuse verification on expired and revoking staplings.
Handle OCSP client refusal on lack of stapling from server.
More fixing in client OCSP: use the server cert signing chain to verify the OCSP info.
Add transport hosts_require_ocsp option.
Log stapling responses.
Start on tests for client-side.
Testing support:
Add CRL generation code and documentation update
Initial CA & certificate set for testing.
BUGFIX:
Once a single OCSP response has been extracted the validation
routine return code is no longer about the structure, but the actual
returned OCSP status.
Diffstat (limited to 'doc/doc-txt')
-rw-r--r-- | doc/doc-txt/experimental-spec.txt | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 8d1ebef13..385f0526e 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -69,7 +69,7 @@ starts retrying to fetch an OCSP proof some time before its current proof expires. The downside is that it requires server support. If Exim is built with EXPERIMENTAL_OCSP and it was built with OpenSSL, -then it gains one new option: "tls_ocsp_file". +then it gains a new global option: "tls_ocsp_file". The file specified therein is expected to be in DER format, and contain an OCSP proof. Exim will serve it as part of the TLS handshake. This @@ -86,10 +86,15 @@ next connection. Exim will check for a valid next update timestamp in the OCSP proof; if not present, or if the proof has expired, it will be ignored. +Also, given EXPERIMENTAL_OCSP and OpenSSL, the smtp transport gains +a "hosts_require_ocsp" option; a host-list for which an OCSP Stapling +is requested and required for the connection to proceed. The host(s) +should also be in "hosts_require_tls", and "tls_verify_certificates" +configured for the transport. + At this point in time, we're gathering feedback on use, to determine if it's worth adding complexity to the Exim daemon to periodically re-fetch -OCSP files and somehow handling multiple files. There is no client support -for OCSP in Exim, this is feature expected to be used by mail clients. +OCSP files and somehow handling multiple files. |