summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2014-12-04 19:17:47 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2014-12-04 19:17:47 +0000
commit02af313dc5374b79f04fd9961b74835dcc0389e8 (patch)
tree3a96c6a20e89a9e81164a4f59d3bfb45c130fb6f /src
parent3750d68d17a77fe0d51906e49fc09e24c5864a29 (diff)
Fail a DANE-mode verify on totally missing certificate
Diffstat (limited to 'src')
-rw-r--r--src/src/tls-openssl.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 9aa655e82..c23ac031f 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1872,7 +1872,9 @@ if (expciphers != NULL)
#ifdef EXPERIMENTAL_DANE
if (tlsa_dnsa)
{
- SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, verify_callback_client_dane);
+ SSL_CTX_set_verify(client_ctx,
+ SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ verify_callback_client_dane);
if (!DANESSL_library_init())
return tls_error(US"library init", host, NULL);