diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-05-20 21:25:10 +0100 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-05-20 21:25:10 +0100 |
commit | e51c7be22dfccad376659a1a46cee93c9979bbf7 (patch) | |
tree | 3a6facf5bd5b51f1b3e21c62736ae04bc7504099 /doc | |
parent | 2e6afa4f11972312d3dbb9bb1d4f4bf585a3cdd2 (diff) |
Support optional server certificate name checking. Bug 1479
Enable EXPERIMENTAL_CERTNAMES to include.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/doc-txt/experimental-spec.txt | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index d8c26bf93..588543454 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -1147,6 +1147,25 @@ QUIT +Certificate name checking +-------------------------------------------------------------- +The X509 certificates used for TLS are supposed be verified +that they are owned by the expected host. The coding of TLS +support to date has not made these checks. + +If built with EXPERIMENTAL_CERTNAMES defined, code is +included to do so, and a new smtp transport option +"tls_verify_cert_hostname" supported which takes a list of +names for which the checks must be made. The host must +also be in "tls_verify_hosts". + +Both Subject and Subject-Alternate-Name certificate fields +are supported, as are wildcard certificates (limited to +a single wildcard being the initial component of a 3-or-more +component FQDN). + + + -------------------------------------------------------------- End of file -------------------------------------------------------------- |