summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/src/dane-openssl.c6
-rw-r--r--src/src/dns.c2
-rw-r--r--src/src/tls-openssl.c12
3 files changed, 10 insertions, 10 deletions
diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c
index aee6323bf..4f90caa4a 100644
--- a/src/src/dane-openssl.c
+++ b/src/src/dane-openssl.c
@@ -1162,7 +1162,8 @@ dane_cert_list xlist = 0;
dane_pkey_list klist = 0;
const EVP_MD *md = 0;
-DEBUG(D_tls) debug_printf("Dane add_tlsa\n");
+DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
+ usage, selector, mdname);
if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
{
@@ -1340,7 +1341,7 @@ if(sctx->app_verify_callback != verify_cert)
return -1;
}
#else
-DEBUG(D_tls) debug_printf("Dane ssl_init\n");
+DEBUG(D_tls) debug_printf("Dane ssl-init\n");
if(dane_idx < 0)
{
DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_LIBRARY_INIT);
@@ -1362,7 +1363,6 @@ if(!SSL_set_ex_data(ssl, dane_idx, dane))
OPENSSL_free(dane);
return 0;
}
-DEBUG(D_tls) debug_printf("Dane ssl-init: new dane struct: %p\n", dane);
dane->verify = 0;
dane->hosts = 0;
diff --git a/src/src/dns.c b/src/src/dns.c
index 6efb88d58..3d047abba 100644
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -607,7 +607,7 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
/* For an SRV lookup, skip over the first two components (the service and
protocol names, which both start with an underscore). */
- if (type == T_SRV)
+ if (type == T_SRV || type == T_TLSA)
{
while (*checkname++ != '.');
while (*checkname++ != '.');
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index eb74605da..70ac63f16 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1663,8 +1663,8 @@ if (host->dnssec == DS_YES)
}
else if (dane_required)
{
- /* Hmm - what lookup, precisely? */
/*XXX a shame we only find this after making tcp & smtp connection */
+ /* move the test earlier? */
log_write(0, LOG_MAIN, "DANE error: previous lookup not DNSSEC");
return FAIL;
}
@@ -1714,9 +1714,9 @@ if (expciphers != NULL)
if (dane)
{
if (!DANESSL_library_init())
- return tls_error(US"library init", host, US"DANE library error");
+ return tls_error(US"library init", host, NULL);
if (DANESSL_CTX_init(client_ctx) <= 0)
- return tls_error(US"context init", host, US"DANE library error");
+ return tls_error(US"context init", host, NULL);
}
else
@@ -1777,7 +1777,7 @@ if (dane)
uschar * hostnames[2] = { host->name, NULL };
if (DANESSL_init(client_ssl, NULL, hostnames) != 1)
- return tls_error(US"hostnames load", host, US"DANE library error");
+ return tls_error(US"hostnames load", host, NULL);
for (rr = dns_next_rr(&tlsa_dnsa, &dnss, RESET_ANSWERS);
rr;
@@ -1805,8 +1805,8 @@ if (dane)
mdname, p, rr->size - (p - rr->data)))
{
default:
- case 0: /* action not taken; log error */
- return FAIL;
+ case 0: /* action not taken */
+ return tls_error(US"tlsa load", host, NULL);
case 1: break;
}
}