diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-05-06 14:44:21 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-05-06 22:40:45 +0100 |
| commit | 4466248715466b6f251454283642b74de65e9d9a (patch) | |
| tree | 487f21c1e0aa2c02c8d6ce5a21aa83b1f258ddaa /doc | |
| parent | 65867078f62db450bd8f91100600f6de559e7590 (diff) | |
OCSP observability: variables $tls_{in,out}_ocsp
and smtp transport option hosts_request_ocsp
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-txt/ChangeLog | 4 | ||||
| -rw-r--r-- | doc/doc-txt/experimental-spec.txt | 23 |
2 files changed, 19 insertions, 8 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index c98528884..ebf2eadb2 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -107,6 +107,10 @@ TL/10 Bugzilla 1454: New -oMm option to pass message reference to Exim. JH/20 New expansion variables tls_(in,out)_(our,peer)cert, and expansion item certextract with support for various fields. Bug 1358. +JH/21 Observability of OCSP via variables tls_(in,out)_ocsp. Stapling + is requested by default, modifiable by smtp transport option + hosts_request_ocsp; + Exim version 4.82 ----------------- diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 16738a51f..1ec323433 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -84,14 +84,21 @@ contents are always valid. Exim will expand the "tls_ocsp_file" option on each connection, so a new file will be handled transparently on the next connection. -Exim will check for a valid next update timestamp in the OCSP proof; -if not present, or if the proof has expired, it will be ignored. - -Also, given EXPERIMENTAL_OCSP, the smtp transport gains -a "hosts_require_ocsp" option; a host-list for which an OCSP Stapling -is requested and required for the connection to proceed. The host(s) -should also be in "hosts_require_tls", and "tls_verify_certificates" -configured for the transport. +Under OpenSSL Exim will check for a valid next update timestamp in the +OCSP proof; if not present, or if the proof has expired, it will be +ignored. + +Also, given EXPERIMENTAL_OCSP, the smtp transport gains two options: +- "hosts_require_ocsp"; a host-list for which an OCSP Stapling +is requested and required for the connection to proceed. The default +value is empty. +- "hosts_request_ocsp"; a host-list for which (additionally) an OCSP +Stapling is requested (but not necessarily verified). The default +value is "*" meaning that requests are made unless configured +otherwise. + +The host(s) should also be in "hosts_require_tls", and +"tls_verify_certificates" configured for the transport. For the client to be able to verify the stapled OCSP the server must also supply, in its stapled information, any intermediate |