summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2014-09-12 21:13:47 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2014-09-12 21:13:47 +0100
commit4f59c424dabfc69b7313d84685df68dd406d6ff9 (patch)
tree10b1555a2aebcee6aadc017f46cd9b3cd762c8e7
parent0eb51736637f6c93a2fd6cb65316f8ae11f0a0be (diff)
Fix needless OCSP request under DANE
usage 3 and with require_ocsp in play though inactive
-rw-r--r--doc/doc-docbook/spec.xfpt2
-rw-r--r--src/src/tls-openssl.c29
2 files changed, 16 insertions, 15 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 28597c352..e5f307882 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -26309,7 +26309,7 @@ an identically named option for the &(smtp)& transport. In each case, the value
of the option is expanded and must then be the name of a file that contains a
CRL in PEM format.
The downside is that clients have to periodically re-download a potentially huge
-file from every certificate authority the know of.
+file from every certificate authority they know of.
The way with most moving parts at query time is Online Certificate
Status Protocol (OCSP), where the client verifies the certificate
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 7d9ab8b4d..b77ed32e1 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1784,28 +1784,29 @@ tls_out.tlsa_usage = 0;
#ifndef DISABLE_OCSP
{
+# ifdef EXPERIMENTAL_DANE
+ if ( tlsa_dnsa
+ && ob->hosts_request_ocsp[0] == '*'
+ && ob->hosts_request_ocsp[1] == '\0'
+ )
+ {
+ /* Unchanged from default. Use a safer one under DANE */
+ request_ocsp = TRUE;
+ ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
+ " {= {4}{$tls_out_tlsa_usage}} } "
+ " {*}{}}";
+ }
+# endif
+
if ((require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
NULL, host->name, host->address, NULL) == OK))
request_ocsp = TRUE;
else
- {
# ifdef EXPERIMENTAL_DANE
- if ( tlsa_dnsa
- && ob->hosts_request_ocsp[0] == '*'
- && ob->hosts_request_ocsp[1] == '\0'
- )
- {
- /* Unchanged from default. Use a safer one under DANE */
- request_ocsp = TRUE;
- ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
- " {= {4}{$tls_out_tlsa_usage}} } "
- " {*}{}}";
- }
- else
+ if (!request_ocsp)
# endif
request_ocsp = verify_check_this_host(&ob->hosts_request_ocsp,
NULL, host->name, host->address, NULL) == OK;
- }
}
#endif