To forestall questions: OpenSSL vulnerability CVE-2011-0014, "OCSP stapling vulnerability in OpenSSL", does *not* affect Exim.
This is the issue prompting the release of OpenSSL 0.9.8r and 1.0.0d. Key phrase from their advisory: Applications are only affected if they act as a server and call SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. Exim does not call that function. The function is used for the Certificate Status Request from RFC 3546 section 3.6; it's used when a client which wants to verify the revocation status of a certificate, but which doesn't want to ask an OCSP provider directly, asks the server to include "current" proof of non-revocation in the handshake. The function call acts as the hook for the application to provide that data into the OpenSSL library. Will Exim ever use this? Since MTAs don't typically do certificate verification of any kind, no MTA<->MTA traffic is ever likely to do this. The Submission protocol is another matter entirely. For that, clients talk to the server and mail clients may well want the server to do this for them. I can see Exim one day implementing this feature, for the Submission port, turned on explicitly by the server admin (since it creates more work for the server). That will come after TLS SNI support and is not a high priority. If there's anyone who *wants* that support, you'll need to point me to mail-clients which try to use this functionality, so that I can test interop. If you're a mail client developer and trying to break a chicken/egg deadlock, talk to me and we can sort out a solution. -Phil
pgpYqOVLTTAht.pgp
Description: PGP signature
-- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
