Support OCSP Stapling under GnuTLS. Bug 1459

Requires GnuTLS version 3.1.3 or later.
Under EXPERIMENTAL_OCSP

3 files changed, 13 insertions, 4 deletions

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index ddbd91135..cff9803d7 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -97,6 +97,8 @@ JH/18 New options dnssec_lax, dnssec_strict on dnsdb lookups.
 TL/09 Bugzilla 609: Add -C option to exiqgrep, specify which exim.conf to use.
       Patch submitted by Lars Timman.
 
+JH/19 EXPERIMENTAL_OCSP support under GnuTLS.  Bug 1459.
+
 
 Exim version 4.82
 -----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 39e2aa4d9..6a1a5e8d1 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -39,6 +39,9 @@ Version 4.83
  7. New command-line option -C for exiqgrep to specify alternate exim.conf
     file when searching the queue.
 
+ 8. EXPERIMENTAL_OCSP now supports GnuTLS also, if you have version 3.1.3
+    or later of that.
+
 
 Version 4.82
 ------------
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index f21609662..16738a51f 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -69,7 +69,8 @@ starts retrying to fetch an OCSP proof some time before its current
 proof expires.  The downside is that it requires server support.
 
 If Exim is built with EXPERIMENTAL_OCSP and it was built with OpenSSL,
-then it gains a new global option: "tls_ocsp_file".
+or with GnuTLS 3.1.3 or later, then it gains a new global option:
+"tls_ocsp_file".
 
 The file specified therein is expected to be in DER format, and contain
 an OCSP proof.  Exim will serve it as part of the TLS handshake.  This
@@ -86,7 +87,7 @@ next connection.
 Exim will check for a valid next update timestamp in the OCSP proof;
 if not present, or if the proof has expired, it will be ignored.
 
-Also, given EXPERIMENTAL_OCSP and OpenSSL, the smtp transport gains
+Also, given EXPERIMENTAL_OCSP, the smtp transport gains
 a "hosts_require_ocsp" option; a host-list for which an OCSP Stapling
 is requested and required for the connection to proceed.  The host(s)
 should also be in "hosts_require_tls", and "tls_verify_certificates"
@@ -99,6 +100,9 @@ of the server certificate.  There may be zero or one such. These
 intermediate certificates should be added to the server OCSP stapling
 file (named by tls_ocsp_file).
 
+Note that the proof only covers the terminal server certificate,
+not any of the chain from CA to it.
+
 At this point in time, we're gathering feedback on use, to determine if
 it's worth adding complexity to the Exim daemon to periodically re-fetch
 OCSP files and somehow handling multiple files.
@@ -107,8 +111,8 @@ OCSP files and somehow handling multiple files.
   OCSP server is supplied.  The server URL may be included in the
   server certificate, if the CA is helpful.
 
-  One fail mode seen was the OCSP Signer cert expiring before the end
-  of vailidity of the OCSP proof. The checking done by Exim/OpenSSL
+  One failure mode seen was the OCSP Signer cert expiring before the end
+  of validity of the OCSP proof. The checking done by Exim/OpenSSL
   noted this as invalid overall, but the re-fetch script did not.