[exim-dev] [Bug 2350] OCSP stapling, client side
https://bugs.exim.org/show_bug.cgi?id=2350 Git Commit changed: What|Removed |Added CC||g...@exim.org --- Comment #8 from Git Commit --- Git commit: https://git.exim.org/exim.git/commitdiff/e41242f9612adaedadd5f3607b202f32ca086b4f commit e41242f9612adaedadd5f3607b202f32ca086b4f Author: Jeremy Harris AuthorDate: Mon Jul 15 10:53:35 2019 +0100 Commit: Jeremy Harris CommitDate: Mon Jul 15 10:53:35 2019 +0100 Docs: add note on unusablility of must-staple certs by clients. Bug 2350 --- doc/doc-docbook/spec.xfpt | 7 +++ 1 file changed, 7 insertions(+) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 5463cc1..37ada75 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -28478,6 +28478,13 @@ transport provide the client with a certificate, which is passed to the server if it requests it. If the server is Exim, it will request a certificate only if &%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client. +.new +Do not use a certificate which has the OCSP-must-staple extension, +for client use (they are usable for server use). +As TLS has no means for the client to staple before TLS 1.3 it will result +in failed connections. +.wen + If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it specifies a collection of expected server certificates. These may be -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2350] OCSP stapling, client side
https://bugs.exim.org/show_bug.cgi?id=2350 Castro B changed: What|Removed |Added CC||castro8583benn...@gmx.com --- Comment #7 from Castro B --- Hi Torsten Why not jsut let it be right we can do anything anyways. Castro B, https://sparpedia.at -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2350] OCSP stapling, client side
https://bugs.exim.org/show_bug.cgi?id=2350 --- Comment #6 from Torsten Tributh --- Hi, happy new year. After investigating I bit deeper, we can close this issue for now. There is no support in the client handshake to staple the OCSP status_response for TLS< 1.3 and actually no codepoints registered for usage in TLS 1.3. Maybe only a hint in the manual could be useful, possibly like this: "Take care not to use a single certificate with OCSP-must-stable feature enabled if you want to use it for incoming and outgoing connections. The definitions have lake of support to staple OCSP in client mode." Torsten -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2350] OCSP stapling, client side
https://bugs.exim.org/show_bug.cgi?id=2350 --- Comment #5 from Torsten Tributh --- Hi, I am on the way to clarify the OCSP case in the IETF TLS working group. Seems to take some more time. Please hold this until next year. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2350] OCSP stapling, client side
https://bugs.exim.org/show_bug.cgi?id=2350 --- Comment #4 from Jeremy Harris --- That would be my reading of the situation, yes. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2350] OCSP stapling, client side
https://bugs.exim.org/show_bug.cgi?id=2350 --- Comment #3 from Torsten Tributh --- Haven't recognized this difference between TLS 1.2 and TLS 1.3 before. Seems like stapling was not intended in the beginning to be offered from clients also. If it will be offered in TLS 1.3 implementations there remains than another question: For TLS 1.3 I can use an must-staple cert, but for lower TLS connects I have to serve a second one without stapling? My question sounds like I have to ask in the IETF TLS working group -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2350] OCSP stapling, client side
https://bugs.exim.org/show_bug.cgi?id=2350 --- Comment #2 from Jeremy Harris --- I note that the original RFC for stapling, 6066, only talks about it in terms of the client requesting and the server supplying certificate status. https://tools.ietf.org/html/rfc6066 Section 8. Also the OpenSSL manpage for SSL_CTX_set_tlsext_status_cb() only describes use in that direction, as does the GnuTLS docs page on OCSP stapling. https://www.openssl.org/docs/manmaster/man3/SSL_set_tlsext_status_ocsp_resp.html https://www.gnutls.org/manual/html_node/OCSP-stapling.html It may well be that client-certs are second class citizens in TLS1.2, and the best recourse is to use limited-lifetime ones. In TLS1.3 however, RFC 8446 section 4.4.2.1 says that the server can request stapling by the client. It remains to be seen what library support there may be. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2350] OCSP stapling, client side
https://bugs.exim.org/show_bug.cgi?id=2350 Jeremy Harris changed: What|Removed |Added Priority|medium |high Severity|bug |wishlist Summary|OCSP Problem for outgoing |OCSP stapling, client side |mails | Target Milestone|Exim 4.92 |Exim_4.93+ --- Comment #1 from Jeremy Harris --- As the docs say: "There is no current way to staple a proof for a client certificate". This means that must-staple certificates are not usable as client certs. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##