Override an unchanged default hosts_request_ocsp when DANE is used

2 files changed, 23 insertions, 6 deletions

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index de2e7a3bd..343122615 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1771,11 +1771,28 @@ else if (dane_required)
 
 #ifndef DISABLE_OCSP
   {
-  require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
-    NULL, host->name, host->address, NULL) == OK;
-  request_ocsp = require_ocsp ? TRUE
-    : verify_check_this_host(&ob->hosts_request_ocsp,
-	NULL, host->name, host->address, NULL) == OK;
+  if ((require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
+    NULL, host->name, host->address, NULL) == OK))
+    request_ocsp = TRUE;
+  else
+    {
+# ifdef EXPERIMENTAL_DANE
+    if (  dane
+       && ob->hosts_request_ocsp[0] == '*'
+       && ob->hosts_request_ocsp[1] == '\0'
+       )
+      {
+      /* Unchanged from default.  Use a safer one under DANE */
+      request_ocsp = TRUE;
+      ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
+					"   {= {4}{$tls_out_tlsa_usage}} } "
+				   " {*}{}}";
+      }
+    else
+# endif
+      request_ocsp = verify_check_this_host(&ob->hosts_request_ocsp,
+	  NULL, host->name, host->address, NULL) == OK;
+    }
   }
 #endif
 
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 9abc69d51..1865adee8 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -216,7 +216,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   NULL,                /* hosts_try_prdr */
 #endif
 #ifndef DISABLE_OCSP
-  US"*",               /* hosts_request_ocsp */
+  US"*",               /* hosts_request_ocsp (except under DANE) */
   NULL,                /* hosts_require_ocsp */
 #endif
   NULL,                /* hosts_require_tls */