OCSP URI http://r3.o.lencr.org
OCSP staplingnot offered
OCSP must staple extension --
...
tlsa/dane "3 1 1" usage is noted
thx for the 'danectl' script.
i've my own key/record mgmt script that deals with my
On Sat, Jan 08, 2022 at 01:05:41PM +1100, raf wrote:
> Probably no real harm done. OCSP stapling is just a way to make it
> more private and more efficient for a web browser to verify that a
> website's certificate hasn't been revoked, by providing that
> information i
On Fri, Jan 07, 2022 at 05:47:55PM -0500, PGNet Dev wrote:
> > Postfix has no CRL or OCSP support, and none is planned.
>
> other than reporting the bad result, does the current (bad) config cause any
> actual mail delivery breakage?
Probably no real harm done. OCSP stapling i
On Fri, Jan 07, 2022 at 06:17:45PM -0500, PGNet Dev wrote:
> > Absent DANE, this is all security theatre.
>
> yup. which is why i'm doing the step1 cleanups etc to get my own
> mistakes out of the way ... on the way to DNSSEC/DANE.
Be sure to do it right, or not at all. It does nobody a favour
i've clearly not noticed my mistake 'til now, and afaict have seen no
unexplained breakage. dunno if i should've and missed it, or it's
just noisy and ignorable?
Best to not solicit misbehaviour, even if typically nothing bad happens.
sure. not hoping to avoid fixing it! asking if i should'v
On Fri, Jan 07, 2022 at 05:47:55PM -0500, PGNet Dev wrote:
> > Postfix has no CRL or OCSP support, and none is planned.
>
> other than reporting the bad result, does the current (bad) config
> cause any actual mail delivery breakage?
It could, if the sending MTA implements OCSP and honours the e
Session ID resumption is by default disabled. This is a feature, let
the client store a session ticket if it wants, otherwise it does a fresh
handshake. This makes sense for SMTP.
OCSP staplingnot offered
???OCSP must staple extension requires OCSP
let
the client store a session ticket if it wants, otherwise it does a fresh
handshake. This makes sense for SMTP.
> OCSP staplingnot offered
> ??? OCSP must staple extension requires OCSP stapling (NOT ok)
You made the mistake of using the "--must-sta
The other ??? item,
"Session Resumption Tickets: yes, ID resumption test failed, pls
report"
I've not found any guidance on at all, yet.
For postfix, do I care?
And if so, what/where is a fix?
did find this comment at SF,
"Certbot — Post-Handshake New Session Ticket a
Signature Algorithm SHA256 with RSA
Server key size RSA 4096 bits
...
Issuer R3 (Let's Encrypt from US)
...
OCSP URI http://r3.o.lencr.org
OCSP stapling
Thanks Viktor!
Regards,
Nik
This e-mail and any files transmitted with it are strictly confidential, may be
privileged and are intended only for use by the addressee unless otherwise
indicated. If you are not the intended recipient any use, dissemination,
printing or copying is strictly prohi
> On Nov 16, 2017, at 12:41 PM, Nik Kostaras
> wrote:
>
> Hi all,
>
> I'd like to ask your view about OCSP Stapling in postfix.
> Do you think that it adds value for certificate revocation without
> overcomplicating the code and slowing down the performance
Hi all,
I'd like to ask your view about OCSP Stapling in postfix.
Do you think that it adds value for certificate revocation without
overcomplicating the code and slowing down the performance
(assuming that the stapling process and OCSP caching would be handled outside
the scope of postfix
13 matches
Mail list logo
