4 files changed, 34 insertions, 7 deletions

diff --git a/src/src/expand.c b/src/src/expand.c
index e5af63d89..ba2c6f7cd 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -684,6 +684,9 @@ static var_entry var_table[] = {
   { "tls_out_bits",        vtype_int,         &tls_out.bits },
   { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified },
   { "tls_out_cipher",      vtype_stringptr,   &tls_out.cipher },
+#ifdef EXPERIMENTAL_DANE
+  { "tls_out_dane",        vtype_bool,        &tls_out.dane_verified },
+#endif
   { "tls_out_ocsp",        vtype_int,         &tls_out.ocsp },
   { "tls_out_ourcert",     vtype_cert,        &tls_out.ourcert },
   { "tls_out_peercert",    vtype_cert,        &tls_out.peercert },
@@ -691,6 +694,9 @@ static var_entry var_table[] = {
 #if defined(SUPPORT_TLS)
   { "tls_out_sni",         vtype_stringptr,   &tls_out.sni },
 #endif
+#ifdef EXPERIMENTAL_DANE
+  { "tls_out_tlsa_usage",  vtype_int,         &tls_out.tlsa_usage },
+#endif
 
   { "tls_peerdn",          vtype_stringptr,   &tls_in.peerdn },	/* mind the alphabetical order! */
 #if defined(SUPPORT_TLS)
diff --git a/src/src/globals.c b/src/src/globals.c
index d09903d65..409c324e9 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -105,6 +105,7 @@ tls_support tls_in = {
  FALSE,/* tls_certificate_verified */
 #ifdef EXPERIMENTAL_DANE
  FALSE,/* dane_verified */
+ 0,    /* tlsa_usage */
 #endif
  NULL, /* tls_cipher */
  FALSE,/* tls_on_connect */
@@ -121,6 +122,7 @@ tls_support tls_out = {
  FALSE,/* tls_certificate_verified */
 #ifdef EXPERIMENTAL_DANE
  FALSE,/* dane_verified */
+ 0,    /* tlsa_usage */
 #endif
  NULL, /* tls_cipher */
  FALSE,/* tls_on_connect */
diff --git a/src/src/globals.h b/src/src/globals.h
index 654114848..1adda6411 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -84,6 +84,7 @@ typedef struct {
   BOOL    certificate_verified; /* Client certificate verified */
 #ifdef EXPERIMENTAL_DANE
   BOOL    dane_verified;        /* ... via DANE */
+  int     tlsa_usage;         /* TLSA record(s) usage */
 #endif
   uschar *cipher;             /* Cipher used */
   BOOL    on_connect;         /* For older MTAs that don't STARTTLS */
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 144be6f63..57b0808fb 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1693,6 +1693,8 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
       return tls_error(US"tlsa load", host, NULL);
     case 1:	break;
     }
+
+  tls_out.tlsa_usage |= 1<<usage;
   }
 
 if (found)
@@ -1745,6 +1747,7 @@ BOOL dane_required;
 
 #ifdef EXPERIMENTAL_DANE
 tls_out.dane_verified = FALSE;
+tls_out.tlsa_usage = 0;
 dane_required = verify_check_this_host(&ob->hosts_require_dane, NULL,
 			  host->name, host->address, NULL) == OK;
 
@@ -1764,7 +1767,6 @@ else if (dane_required)
   log_write(0, LOG_MAIN, "DANE error: previous lookup not DNSSEC");
   return FAIL;
   }
-
 #endif
 
 #ifndef DISABLE_OCSP
@@ -1855,23 +1857,39 @@ if (ob->tls_sni)
     }
   }
 
+#ifdef EXPERIMENTAL_DANE
+if (dane)
+  if ((rc = dane_tlsa_load(client_ssl, host, &tlsa_dnsa)) != OK)
+    return rc;
+#endif
+
 #ifndef DISABLE_OCSP
 /* Request certificate status at connection-time.  If the server
 does OCSP stapling we will get the callback (set in tls_init()) */
 if (request_ocsp)
   {
+  const uschar * s;
+  if (  (s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage")
+     || (s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage")
+     )
+    {	/* Re-eval now $tls_out_tlsa_usage is populated.  If
+    	this means we avoid the OCSP request, we wasted the setup
+	cost in tls_init(). */
+    require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
+      NULL, host->name, host->address, NULL) == OK;
+    request_ocsp = require_ocsp ? TRUE
+      : verify_check_this_host(&ob->hosts_request_ocsp,
+	  NULL, host->name, host->address, NULL) == OK;
+    }
+  }
+if (request_ocsp)
+  {
   SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
   client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
   tls_out.ocsp = OCSP_NOT_RESP;
   }
 #endif
 
-#ifdef EXPERIMENTAL_DANE
-if (dane)
-  if ((rc = dane_tlsa_load(client_ssl, host, &tlsa_dnsa)) != OK)
-    return rc;
-#endif
-
 
 /* There doesn't seem to be a built-in timeout on connection. */