Hi,
I asked in the past, if OCSP stapling can also be made with a list. This
part of code implementation is still not done for actual openssl or
gnutls implementations.
I found now a way to do it with plain config:
tls_certificate = ecdsa_chain.pem:rsa_chain.pem
tls_privatekey = ecdsa-key.pem:rsa-key.pem
tls_require_ciphers = "Make sure to use only ciphers mentioning RSA or
ECDSA in their name, not the historic ones (except TLS 1.3)"
tls_ocsp_file = ${if
match{$tls_cipher}{RSA}{ocspresponseRSA}{ocspresponseECDSA}}
This works also with the new upcoming TLS 1.3
In the case the ciphers has "*RSA*", we staple the OCSP-response for the
RSA Certificate. In all others case we staple the ECDSA-OCSP-response.
In TLS 1.3 their is no RSA or ECDSA in the ciphername and we staple the
OCSP-ECDSA-response to the first given tls_certificate, which in this
case is also the ECDSA-cert.
--
Torsten
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
