Testsuite: move CRL testcases away from using SHA1-signed certs

[exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 1a7a7baa638558da5b2c2485912d485bb6f6cec2..9c011a989fb691b6cbfbbcbbc81d6672ce137c7b 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -17133,8 +17133,14 @@ use when sending messages as a client, you must set the &%tls_certificate%&
 option in the relevant &(smtp)& transport.
 
 .new
+&*Note*&: If you use filenames based on IP addresses, change the list
+separator in the usual way to avoid confusion under IPv6.
+
 &*Note*&: Under current versions of OpenSSL, when a list of more than one
 file is used, the &$tls_in_ourcert$& veriable is unreliable.
+
+&*Note*&: OCSP stapling is not usable under OpenSSL
+when a list of more than one file is used.
 .wen
 
 If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then
@@ -17149,7 +17155,15 @@ generated for every connection.
 .cindex "TLS" "server certificate revocation list"
 .cindex "certificate" "revocation list for server"
 This option specifies a certificate revocation list. The expanded value must
-be the name of a file that contains a CRL in PEM format.
+be the name of a file that contains CRLs in PEM format.
+
+.new
+Under OpenSSL the option can specify a directory with CRL files.
+
+&*Note: Under OpenSSL the option must, if given, supply a CRL
+for each signing element of the certificate chain (i.e. all but the leaf).
+For the file variant this can be multiple PEM blocks in the one file.
+.wen
 
 See &<<SECTtlssni>>& for discussion of when this option might be re-expanded.
 
@@ -17276,6 +17290,12 @@ Certificate Authority.
 
 Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
 
+.new
+For GnuTLS 3.5.6 or later the expanded value of this option can be a list
+of files, to match a list given for the &%tls_certificate%& option.
+The ordering of the two lists must match.
+.wen
+
 
 .option tls_on_connect_ports main "string list" unset
 .cindex SSMTP
@@ -27137,7 +27157,7 @@ let the Exim Maintainers know and we'll likely use it).
 .next
 .new
 With GnuTLS, if an explicit list is used for the &%tls_privatekey%& main option
-main option, it must be ordered to match the %&tls_certificate%& list.
+main option, it must be ordered to match the &%tls_certificate%& list.
 .wen
 .next
 Some other recently added features may only be available in one or the other.
@@ -31327,6 +31347,7 @@ address and some time-based randomizing information. The &%prvs%& expansion
 item creates a signed address, and the &%prvscheck%& expansion item checks one.
 The syntax of these expansion items is described in section
 &<<SECTexpansionitems>>&.
+The validity period on signed addresses is seven days.
 
 As an example, suppose the secret per-address keys are stored in an MySQL
 database. A query to look up the key for an address could be defined as a macro
@@ -38708,6 +38729,11 @@ dkim_verify_signers = $sender_address_domain:$dkim_signers
 If a domain or identity is listed several times in the (expanded) value of
 &%dkim_verify_signers%&, the ACL is only called once for that domain or identity.
 
+.new
+If multiple signatures match a domain (or identity), the ACL is called once
+for each matching signature.
+.wen
+
 
 Inside the &%acl_smtp_dkim%&, the following expansion variables are
 available (from most to least important):