diff options
-rw-r--r-- | src/src/dane-openssl.c | 17 | ||||
-rw-r--r-- | src/src/tls-openssl.c | 6 | ||||
-rw-r--r-- | test/scripts/2100-OpenSSL/2100 | 2 |
3 files changed, 21 insertions, 4 deletions
diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c index 407e6800d..4a177807a 100644 --- a/src/src/dane-openssl.c +++ b/src/src/dane-openssl.c @@ -859,6 +859,8 @@ X509 *cert = ctx->cert; /* XXX: accessor? */ int matched = 0; int chain_length = sk_X509_num(ctx->chain); +DEBUG(D_tls) debug_printf("Dane library verify_chain fn called\n"); + issuer_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_ISSUER]; leaf_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_LEAF]; ctx->verify = dane->verify; @@ -950,6 +952,8 @@ int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb; int matched; X509 *cert = ctx->cert; /* XXX: accessor? */ +DEBUG(D_tls) debug_printf("Dane library verify_cert fn called\n"); + if(ssl_idx < 0) ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx(); if(dane_idx < 0) @@ -1080,6 +1084,8 @@ DANESSL_cleanup(SSL *ssl) ssl_dane *dane; int u; +DEBUG(D_tls) debug_printf("Dane library cleanup fn called\n"); + if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx))) return; (void) SSL_set_ex_data(ssl, dane_idx, 0); @@ -1100,6 +1106,7 @@ if(dane->roots) if(dane->chain) sk_X509_pop_free(dane->chain, X509_free); OPENSSL_free(dane); +DEBUG(D_tls) debug_printf("Dane library cleanup fn return\n"); } static dane_host_list @@ -1155,6 +1162,8 @@ dane_cert_list xlist = 0; dane_pkey_list klist = 0; const EVP_MD *md = 0; +DEBUG(D_tls) debug_printf("Dane add_tlsa\n"); + if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx))) { DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_DANE_INIT); @@ -1324,12 +1333,14 @@ int i; #ifdef OPENSSL_INTERNAL SSL_CTX *sctx = SSL_get_SSL_CTX(ssl); + if(sctx->app_verify_callback != verify_cert) { DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_SCTX_INIT); return -1; } #else +DEBUG(D_tls) debug_printf("Dane ssl_init\n"); if(dane_idx < 0) { DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_LIBRARY_INIT); @@ -1351,7 +1362,11 @@ if(!SSL_set_ex_data(ssl, dane_idx, dane)) OPENSSL_free(dane); return 0; } +DEBUG(D_tls) debug_printf("Dane ssl-init: new dane struct: %p\n", dane); +dane->verify = 0; +dane->hosts = 0; +dane->thost = 0; dane->pkeys = 0; dane->certs = 0; dane->chain = 0; @@ -1396,6 +1411,7 @@ Return int DANESSL_CTX_init(SSL_CTX *ctx) { +DEBUG(D_tls) debug_printf("Dane ctx-init\n"); if(dane_idx >= 0) { SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0); @@ -1481,6 +1497,7 @@ Return int DANESSL_library_init(void) { +DEBUG(D_tls) debug_printf("Dane lib-init\n"); if(err_lib_dane < 0) init_once(&err_lib_dane, ERR_get_next_error_library, dane_init); diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index b96dbbf04..fa29f4ed9 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1608,16 +1608,16 @@ int rc; static uschar cipherbuf[256]; #ifndef DISABLE_OCSP -BOOL require_ocsp = FALSE; BOOL request_ocsp = FALSE; +BOOL require_ocsp = FALSE; #endif #ifdef EXPERIMENTAL_DANE -BOOL dane_in_use; +BOOL dane_in_use = FALSE; #endif #ifdef EXPERIMENTAL_DANE /*XXX TBD: test for transport options, and for TLSA records */ -dane_in_use = FALSE; +/*dane_in_use = TRUE;*/ if (!dane_in_use) #endif diff --git a/test/scripts/2100-OpenSSL/2100 b/test/scripts/2100-OpenSSL/2100 index c2b0f8981..61c2fd6fb 100644 --- a/test/scripts/2100-OpenSSL/2100 +++ b/test/scripts/2100-OpenSSL/2100 @@ -4,7 +4,7 @@ exim -DSERVER=server -bd -oX PORT_D exim CALLER@test.ex Testing **** -exim -qf +exim -d+all -qf **** killdaemon no_msglog_check |