Bug ID: 2352
Summary: Enforce must-staple cert checks
RFC 7633 defines a cert extension saying that use of it must be accompanied
by cert-status ("OCSP stapling") if a client requests stapling. This applies
for the leaf-cert if any cert in the chain has the extension. Lacking
the chain must be regarded as invalid.
Exim should code those checks, if the TLS library version does not.
It is unclear what the situation for client certs is. Pre-TLS1.3 cannot do
a server requesting stapling from the client, but TLS1.3 can (though it also
is not clear if libraries support that yet).
It is unclear whether, under TLS1.3, every chain element must be checked for
associated status or only the leaf.
You are receiving this mail because:
You are on the CC list for the bug.
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##