From 28646fa9c74b94722eadd7bc2d9c285245aded80 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 20 Dec 2017 21:14:06 +0000
Subject: DANE/GnuTLS: ignore traditional CA anchor validation in DANE-EE mode

Not quite right for a mixed TA+EE set of TLSA records, but better than always-enforcing
---
 test/stderr/5820 | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'test/stderr/5820')

diff --git a/test/stderr/5820 b/test/stderr/5820
index 8cd66384e..43492b5f7 100644
--- a/test/stderr/5820
+++ b/test/stderr/5820
@@ -79,6 +79,8 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs
 ### A server insecurely serving a good TLSA record, dane required (delivery should fail)
 ### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
 ### A server insecurely serving a good A record, dane required (delivery should fail)
+### A server with a name not matching the cert.  TA-mode; should fail
+### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
 
 ******** SERVER ********
 ### TLSA (3 1 1)
@@ -98,3 +100,5 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs
 ### A server insecurely serving a good TLSA record, dane required (delivery should fail)
 ### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
 ### A server insecurely serving a good A record, dane required (delivery should fail)
+### A server with a name not matching the cert.  TA-mode; should fail
+### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
-- 
cgit v1.2.3