From 82d14d6a7ecbaf515d7feb30c351c92a4b429f43 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 2 Aug 2015 14:33:56 +0100 Subject: [PATCH] Docs: add notes on library version limitations on OCSP stapling. Bug 1664 --- doc/doc-docbook/spec.xfpt | 8 +++++++- doc/doc-txt/ChangeLog | 4 ++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index e1eaf3f70..69a810c0c 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -16668,6 +16668,10 @@ must if set expand to the absolute path to a file which contains a current status proof for the server's certificate, as obtained from the Certificate Authority. +.new +Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later). +.wen + .option tls_on_connect_ports main "string list" unset .cindex SSMTP @@ -26754,7 +26758,9 @@ starts retrying to fetch an OCSP proof some time before its current proof expires. The downside is that it requires server support. Unless Exim is built with the support disabled, -or with GnuTLS earlier than version 3.1.3, +.new +or with GnuTLS earlier than version 3.3.16 / 3.4.8 +.wen support for OCSP stapling is included. There is a global option called &%tls_ocsp_file%&. diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 654361af1..45eea0319 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -4,6 +4,10 @@ Change log file for Exim from version 4.21 Exim version 4.87 ----------------- +JH/01 Bug 1664: Disable OCSP for GnuTLS library versions at/before 3.3.16 + and 3.4.4 - once the server is enabled to respond to an OCSP request + it does even when not requested, resulting in a stapling non-aware + client dropping the TLS connection. Exim version 4.86 -- 2.25.1