diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/src/receive.c | 2 | ||||
-rw-r--r-- | src/src/smtp_in.c | 2 | ||||
-rw-r--r-- | src/src/tls-gnu.c | 2 | ||||
-rw-r--r-- | src/src/tls-openssl.c | 1 | ||||
-rw-r--r-- | src/src/transports/smtp.c | 1 |
5 files changed, 5 insertions, 3 deletions
diff --git a/src/src/receive.c b/src/src/receive.c index 707fe07f7..95c44c01c 100644 --- a/src/src/receive.c +++ b/src/src/receive.c @@ -4004,7 +4004,7 @@ if (LOGGING(tls_certificate_verified) && tls_in.cipher) if (LOGGING(tls_peerdn) && tls_in.peerdn) g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\""); if (LOGGING(tls_sni) && tls_in.sni) - g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\""); + g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE)); #endif if (sender_host_authenticated) diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 3325d54c6..aa1d5b09c 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -1812,7 +1812,7 @@ if (LOGGING(tls_certificate_verified) && tls_in.cipher) if (LOGGING(tls_peerdn) && tls_in.peerdn) g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\""); if (LOGGING(tls_sni) && tls_in.sni) - g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\""); + g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE)); return g; } #endif diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 013d9c0e8..cf3804982 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -2868,7 +2868,7 @@ DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->so /* If dane is flagged, have either request or require dane for this host, and a TLSA record found. Therefore, dane verify required. Which implies cert must be requested and supplied, dane verify must pass, and cert verify irrelevant -(incl. hostnames), and (caller handled) require_tls */ +(incl. hostnames), and (caller handled) require_tls and sni=$domain */ if (conn_args->dane && ob->dane_require_tls_ciphers) { diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 64f60b7e4..5bc9f8f53 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -3200,6 +3200,7 @@ tlsp->tlsa_usage = 0; #ifndef DISABLE_OCSP { # ifdef SUPPORT_DANE + /*XXX this should be moved to caller, to be common across gnutls/openssl */ if ( conn_args->dane && ob->hosts_request_ocsp[0] == '*' && ob->hosts_request_ocsp[1] == '\0' diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 341acde2d..fef4717f5 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -2018,6 +2018,7 @@ if (!continue_hostname) { case OK: sx->conn_args.dane = TRUE; ob->tls_tempfail_tryclear = FALSE; + ob->tls_sni = sx->addrlist->domain; break; case FAIL_FORCED: break; default: set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER, |