On 12/19/18 at 11:15 AM, ietf-d...@dukhovni.org (Viktor Dukhovni) wrote:
> What I'd rather see is automation of certificate rotation, and
> increasingly (decreasingly?) short certificate lifetimes as
> with Let's Encrypt.
I think what you wanted to say was "increasingly shorter certificate lifeti
On Wed, Dec 19, 2018 at 01:40:43PM -0500, Viktor Dukhovni wrote:
> To that end, please post a "tshark" decode of a TLS 1.2 handshake
> (thus avoiding encrypted handshake records that make much of the
> TLS 1.3 handshake opaque, and your tshark may not yet support TLS
> 1.3). With reference to tha
On Wed, Dec 19, 2018 at 03:47:25PM +0100, T.Tributh wrote:
> Shall I open a ticket for openssl?
Before you do that, it would be good to have clarity about the
specific behaviour you're seeing and how it differs from what you
want, and whether you want to see changes in the client or in the
server
>Shall I open a ticket for openssl?
GnuTLS seems also not be able to staple the status_response when in
client mode.
Feel free. One possible result is that the OpenSSL maintainers will say that
this is more about integration for the different servers that accept client
certificate
Am 19.12.18 um 14:20 schrieb Rob Stradling:
> On 19/12/2018 13:13, Salz, Rich wrote:
>>> OpenSSL already has some support for Must-Staple:
>>> https://github.com/openssl/openssl/pull/495
>>
>> Oops, yeah, you're aright. But it's not really documented and not hooked up
>> to any pop
On 19/12/2018 13:13, Salz, Rich wrote:
>> OpenSSL already has some support for Must-Staple:
>> https://github.com/openssl/openssl/pull/495
>
> Oops, yeah, you're aright. But it's not really documented and not hooked up
> to any popular server, is it? OpenSSL can parse it, but that's
>OpenSSL already has some support for Must-Staple:
>https://github.com/openssl/openssl/pull/495
Oops, yeah, you're aright. But it's not really documented and not hooked up to
any popular server, is it? OpenSSL can parse it, but that's about it.
___
On 19/12/2018 01:18, Salz, Rich wrote:
>> The "exim" server claims to support stapling (for incoming connections)
>
> Yes, which isn't what I asked.
>
>> The Must-Staple belongs to the certificate which was requested
> including "1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05"
> in
>The "exim" server claims to support stapling (for incoming connections)
Yes, which isn't what I asked.
>The Must-Staple belongs to the certificate which was requested
including "1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05"
in the CSR.
Does the exim server understand that extensi
Am 18.12.18 um 15:57 schrieb Salz, Rich:
> Does the server claim to support must-staple?
>
The "exim" server claims to support stapling (for incoming connections)
The Must-Staple belongs to the certificate which was requested
including "1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05"
in the CSR.
Mos
Does the server claim to support must-staple?
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
Hi,
first I may introduce my problem.
We take a small mail server, in this case exim and enabling TLS with an
OCSP-Must-Staple certificate. We add the status_request
like described in RFC 6066 and everything works fine for all clients
connecting to that server and send mail.
Now we turn to sendi
12 matches
Mail list logo