From 594706ea2e56fe8c972eab772bd3e58c7a0c89ab Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 17 Aug 2014 00:41:17 +0100 Subject: Add observability variables and provision for avoiding OCSP conflicts --- doc/doc-txt/experimental-spec.txt | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index b1b89e007..c060a6c5a 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -1235,7 +1235,25 @@ must have a correct name (SubjectName or SubjectAltName). The use of OCSP-stapling should be considered, allowing for fast revocation of certificates (which would otherwise be limited by the DNS TTL on the TLSA records). However, -this is likely to only be usable with DANE_TA. +this is likely to only be usable with DANE_TA. NOTE: the +default is to request OCSP for all hosts; the certificate +chain in DANE_EE usage will be insufficient to validate +the OCSP proof and verification will fail. Either disable +OCSP completely or use the (new) variable $tls_out_tlsa_usage +like so: + + hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \ + {= {0}{$tls_out_tlsa_usage}} } \ + {*}{}} +The variable is a bitfield with numbered bits set for TLSA +record usage codes. The zero above means DANE was not in use, +the four means that only DANE_TA usage TLSA records were +found. If the definition of hosts_require_ocsp or +hosts_request_ocsp includes the string "tls_out_tlsa_usage", +they are re-expanded in time to control the OCSP request. + +[ All a bit complicated. Should we make that definition +the default? Should we override the user's definition? ] For client-side DANE there are two new smtp transport options, @@ -1260,6 +1278,11 @@ and dnssec_require_domains is ignored. If verification was successful using DANE then the "CV" item in the delivery log line will show as "CV=dane". +There is a new variable $tls_out_dane which will have "yes" if +verification succeeded using DANE and "no" otherwise (only useful +in combination with EXPERIMENTAL_TPDA), and a new variable +$tls_out_tlsa_usage (detailed above). + -------------------------------------------------------------- End of file -- cgit v1.2.3