diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 20 | ||||
| -rw-r--r-- | doc/doc-txt/ChangeLog | 8 | ||||
| -rw-r--r-- | doc/doc-txt/NewStuff | 10 | ||||
| -rw-r--r-- | doc/doc-txt/experimental-spec.txt | 2 |
4 files changed, 36 insertions, 4 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 48cb0155e..7440a4c06 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -17116,7 +17116,8 @@ separator in the usual way to avoid confusion under IPv6. &*Note*&: Under current versions of OpenSSL, when a list of more than one file is used, the &$tls_in_ourcert$& veriable is unreliable. -&*Note*&: OCSP stapling is not usable when a list of more than one file is used. +&*Note*&: OCSP stapling is not usable under OpenSSL +when a list of more than one file is used. If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then if the OpenSSL build supports TLS extensions and the TLS client sends the @@ -17130,7 +17131,15 @@ generated for every connection. .cindex "TLS" "server certificate revocation list" .cindex "certificate" "revocation list for server" This option specifies a certificate revocation list. The expanded value must -be the name of a file that contains a CRL in PEM format. +be the name of a file that contains CRLs in PEM format. + +.new +Under OpenSSL the option can specify a directory with CRL files. + +&*Note: Under OpenSSL the option must, if given, supply a CRL +for each signing element of the certificate chain (i.e. all but the leaf). +For the file variant this can be multiple PEM blocks in the one file. +.wen See &<<SECTtlssni>>& for discussion of when this option might be re-expanded. @@ -17257,8 +17266,11 @@ Certificate Authority. Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later). -&*Note*&: There is currently no support for multiple OCSP proofs to match the -multiple certificates facility. +.new +For GnuTLS 3.5.6 or later the expanded value of this option can be a list +of files, to match a list given for the &%tls_certificate%& option. +The ordering of the two lists must match. +.wen .option tls_on_connect_ports main "string list" unset diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 824ae232e..d4b1820d5 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -5,6 +5,14 @@ affect Exim's operation, with an unchanged configuration file. For new options, and new features, see the NewStuff file next to this ChangeLog. +Exim version 4.91 +----------------- + +JH/01 Replace the store_release() internal interface with store_newblock(), + which internalises the check required to safely use the old one, plus + the allocate and data copy operations duplicated in both (!) of the + extant use locations. + Exim version 4.90 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 4261beb76..df7055a36 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -6,6 +6,16 @@ Before a formal release, there may be quite a lot of detail so that people can test from the snapshots or the Git before the documentation is updated. Once the documentation is updated, this file is reduced to a short list. +Version 4.91 +-------------- + + 1. Dual-certificate stacks on servers now support OCSP stapling, under GnuTLS + version 3.5.6 or later. + + 2. DANE is now supported under GnuTLS version 3.0.0 or later (adding to the + previous OpenSSL implementation, but still Experimental). + + Version 4.90 ------------ diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 1e826aee1..db7a9a51d 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -928,6 +928,8 @@ verification succeeded using DANE and "no" otherwise (only useful in combination with EXPERIMENTAL_EVENT), and a new variable $tls_out_tlsa_usage (detailed above). +Under GnuTLS, DANE is only supported from versin 3.0.0 onwards + DSN extra information |