summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/src/receive.c2
-rw-r--r--src/src/smtp_in.c2
-rw-r--r--src/src/tls-gnu.c2
-rw-r--r--src/src/tls-openssl.c1
-rw-r--r--src/src/transports/smtp.c1
5 files changed, 5 insertions, 3 deletions
diff --git a/src/src/receive.c b/src/src/receive.c
index 707fe07f7..95c44c01c 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -4004,7 +4004,7 @@ if (LOGGING(tls_certificate_verified) && tls_in.cipher)
if (LOGGING(tls_peerdn) && tls_in.peerdn)
g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\"");
if (LOGGING(tls_sni) && tls_in.sni)
- g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\"");
+ g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE));
#endif
if (sender_host_authenticated)
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 3325d54c6..aa1d5b09c 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -1812,7 +1812,7 @@ if (LOGGING(tls_certificate_verified) && tls_in.cipher)
if (LOGGING(tls_peerdn) && tls_in.peerdn)
g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\"");
if (LOGGING(tls_sni) && tls_in.sni)
- g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\"");
+ g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE));
return g;
}
#endif
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 013d9c0e8..cf3804982 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -2868,7 +2868,7 @@ DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->so
/* If dane is flagged, have either request or require dane for this host, and
a TLSA record found. Therefore, dane verify required. Which implies cert must
be requested and supplied, dane verify must pass, and cert verify irrelevant
-(incl. hostnames), and (caller handled) require_tls */
+(incl. hostnames), and (caller handled) require_tls and sni=$domain */
if (conn_args->dane && ob->dane_require_tls_ciphers)
{
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 64f60b7e4..5bc9f8f53 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -3200,6 +3200,7 @@ tlsp->tlsa_usage = 0;
#ifndef DISABLE_OCSP
{
# ifdef SUPPORT_DANE
+ /*XXX this should be moved to caller, to be common across gnutls/openssl */
if ( conn_args->dane
&& ob->hosts_request_ocsp[0] == '*'
&& ob->hosts_request_ocsp[1] == '\0'
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 341acde2d..fef4717f5 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -2018,6 +2018,7 @@ if (!continue_hostname)
{
case OK: sx->conn_args.dane = TRUE;
ob->tls_tempfail_tryclear = FALSE;
+ ob->tls_sni = sx->addrlist->domain;
break;
case FAIL_FORCED: break;
default: set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER,