https://bugs.exim.org/show_bug.cgi?id=2352

            Bug ID: 2352
           Summary: Enforce must-staple cert checks
           Product: Exim
           Version: 4.91
          Hardware: All
                OS: All
            Status: NEW
          Severity: wishlist
          Priority: low
         Component: TLS
          Assignee: jgh146...@wizmail.org
          Reporter: jgh146...@wizmail.org
                CC: exim-dev@exim.org

RFC 7633 defines a cert extension saying that use of it must be accompanied
by cert-status ("OCSP stapling") if a client requests stapling. This applies
for the leaf-cert if any cert in the chain has the extension.  Lacking
stapling,
the chain must be regarded as invalid.

Exim should code those checks, if the TLS library version does not.

It is unclear what the situation for client certs is.  Pre-TLS1.3 cannot do
a server requesting stapling from the client, but TLS1.3 can (though it also
is not clear if libraries support that yet).

It is unclear whether, under TLS1.3, every chain element must be checked for
associated status or only the leaf.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Reply via email to