X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=doc%2Fdoc-docbook%2Fspec.xfpt;fp=doc%2Fdoc-docbook%2Fspec.xfpt;h=7440a4c06949ec26170789779ba10d66ffb68d34;hb=d4fd1b83a197d73cbac114fe53f3448d8b5c7cc2;hp=48cb0155e78d1db7250019dca19cef740ae33dd6;hpb=3721c5545411010ffbea82fc58b883664d07e865;p=user%2Fhenk%2Fcode%2Fexim.git diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 48cb0155e..7440a4c06 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -17116,7 +17116,8 @@ separator in the usual way to avoid confusion under IPv6. &*Note*&: Under current versions of OpenSSL, when a list of more than one file is used, the &$tls_in_ourcert$& veriable is unreliable. -&*Note*&: OCSP stapling is not usable when a list of more than one file is used. +&*Note*&: OCSP stapling is not usable under OpenSSL +when a list of more than one file is used. If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then if the OpenSSL build supports TLS extensions and the TLS client sends the @@ -17130,7 +17131,15 @@ generated for every connection. .cindex "TLS" "server certificate revocation list" .cindex "certificate" "revocation list for server" This option specifies a certificate revocation list. The expanded value must -be the name of a file that contains a CRL in PEM format. +be the name of a file that contains CRLs in PEM format. + +.new +Under OpenSSL the option can specify a directory with CRL files. + +&*Note: Under OpenSSL the option must, if given, supply a CRL +for each signing element of the certificate chain (i.e. all but the leaf). +For the file variant this can be multiple PEM blocks in the one file. +.wen See &<>& for discussion of when this option might be re-expanded. @@ -17257,8 +17266,11 @@ Certificate Authority. Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later). -&*Note*&: There is currently no support for multiple OCSP proofs to match the -multiple certificates facility. +.new +For GnuTLS 3.5.6 or later the expanded value of this option can be a list +of files, to match a list given for the &%tls_certificate%& option. +The ordering of the two lists must match. +.wen .option tls_on_connect_ports main "string list" unset