Hi! On Tue, 7 Oct 2014 14:45:24 -0400, grarpamp wrote: > On Tue, Oct 7, 2014 at 1:28 PM, Ángel González <an...@16bits.net> > wrote: > > CustaiCo wrote: > >> Because of how cleanly seperated the network code is from the rest > >> of the application, I'm fairly sure that there should be no leaks, > >> unless the ssl library decides to open it's own connections for no > >> reason. > > > > Like doing an OCSP check? > > > > (although neither openssl nor gnutls seem to do that automatically > > nowadays) > > Exactly like that, it's worth looking for, ie: can the user's TLS > config or TLS compile default turn on OCSP
Currently you can use --tls-crl-file, and you have to update the CRL file via some external mechanism. Though I doubt that anybody does that. Note that if you want automatic revocation checking via OCSP, you have to be very careful not to reveal information about which servers you contact at which time. (As far as I know, the certificate you want to check is sent to the server. And OCSP may not even use encryption itself, so all information you reveal is public.) Martin ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ msmtp-users mailing list msmtp-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/msmtp-users
