DANE/GnuTLS: ignore traditional CA anchor validation in DANE-EE mode

Not quite right for a mixed TA+EE set of TLSA records, but better than always-enforcing
author: Jeremy Harris <jgh146exb@wizmail.org> 2017-12-20 21:14:06 +0000
committer: Jeremy Harris <jgh146exb@wizmail.org> 2017-12-20 22:03:23 +0000
commit: 28646fa9c74b94722eadd7bc2d9c285245aded80 (patch)
tree: 213e769b061562eb002237306a5da80b70c56d0c /test/stdout/5840
parent: 944e8b37e80589aef9de20ea5fedd98bc0900307 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/test/stdout/5840 b/test/stdout/5840
index 36a3bd158..947f802a7 100644
--- a/test/stdout/5840
+++ b/test/stdout/5840
@@ -25,6 +25,8 @@
 ### A server insecurely serving a good TLSA record, dane required (delivery should fail)
 ### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
 ### A server insecurely serving a good A record, dane required (delivery should fail)
+### A server with a name not matching the cert.  TA-mode; should fail
+### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
 
 ******** SERVER ********
 ### TLSA (3 1 1)
@@ -45,3 +47,5 @@
 ### A server insecurely serving a good TLSA record, dane required (delivery should fail)
 ### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
 ### A server insecurely serving a good A record, dane required (delivery should fail)
+### A server with a name not matching the cert.  TA-mode; should fail
+### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
author	Jeremy Harris <jgh146exb@wizmail.org>	2017-12-20 21:14:06 +0000
committer	Jeremy Harris <jgh146exb@wizmail.org>	2017-12-20 22:03:23 +0000
commit	28646fa9c74b94722eadd7bc2d9c285245aded80 (patch)
tree	213e769b061562eb002237306a5da80b70c56d0c /test/stdout/5840
parent	944e8b37e80589aef9de20ea5fedd98bc0900307 (diff)