From: Jeremy Harris Date: Sun, 10 Aug 2014 20:52:24 +0000 (+0100) Subject: Enable OCSP X-Git-Tag: exim-4_85_RC1~67^2~17 X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=eeb9276b22cd991157c46a068a85ffe59b948d75;p=exim.git Enable OCSP --- diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index f1414287d..b1b89e007 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -1234,7 +1234,8 @@ must have a correct name (SubjectName or SubjectAltName). The use of OCSP-stapling should be considered, allowing for fast revocation of certificates (which would otherwise -be limited by the DNS TTL on the TLSA records). +be limited by the DNS TTL on the TLSA records). However, +this is likely to only be usable with DANE_TA. For client-side DANE there are two new smtp transport options, @@ -1252,12 +1253,13 @@ If dane is in use the following transport options are ignored: tls_verify_certificates tls_crl tls_verify_cert_hostnames - hosts_require_ocsp (might rethink those two) - hosts_request_ocsp Currently dnssec_request_domains must be active (need to think about that) and dnssec_require_domains is ignored. +If verification was successful using DANE then the "CV" item +in the delivery log line will show as "CV=dane". + -------------------------------------------------------------- End of file diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index c05253f73..1ec7786bd 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1696,7 +1696,6 @@ else if (dane_required) return FAIL; } -if (!dane) /*XXX todo: enable ocsp with dane */ #endif #ifndef DISABLE_OCSP