Docs: add notes on library version limitations on OCSP stapling. Bug 1664

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index e1eaf3f70e973613a2a165889f000cdd4751d340..69a810c0c5d7a8dfb3de88dde31c27ecdc58632c 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -16668,6 +16668,10 @@ must if set expand to the absolute path to a file which contains a current
 status proof for the server's certificate, as obtained from the
 Certificate Authority.
 
+.new
+Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
+.wen
+
 
 .option tls_on_connect_ports main "string list" unset
 .cindex SSMTP
@@ -26754,7 +26758,9 @@ starts retrying to fetch an OCSP proof some time before its current
 proof expires.  The downside is that it requires server support.
 
 Unless Exim is built with the support disabled,
-or with GnuTLS earlier than version 3.1.3,
+.new
+or with GnuTLS earlier than version 3.3.16 / 3.4.8
+.wen
 support for OCSP stapling is included.
 
 There is a global option called &%tls_ocsp_file%&.

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 654361af1dba214b913f8b0a00d510e2ae8522ca..45eea03195aca4948c6c8209e3bb4b45c7514de4 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -4,6 +4,10 @@ Change log file for Exim from version 4.21
 
 Exim version 4.87
 -----------------
+JH/01 Bug 1664: Disable OCSP for GnuTLS library versions at/before 3.3.16
+      and 3.4.4 - once the server is enabled to respond to an OCSP request
+      it does even when not requested, resulting in a stapling non-aware
+      client dropping the TLS connection.
 
 
 Exim version 4.86