From 94c1328507098238ae5ec784150c1ae58f3b3118 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Fri, 22 Dec 2017 17:19:37 +0000
Subject: DANE/GnuTLS: split verification of mixed sets of TLSA records by
 usage

This is because we cannot do the required CA-anchor and names checks for TA-mode
and not for EE-mode, without knowing which usage TLSA was used.
---
 test/stdout/5820 | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'test/stdout/5820')

diff --git a/test/stdout/5820 b/test/stdout/5820
index 35e52c5d1..9bdf21c3f 100644
--- a/test/stdout/5820
+++ b/test/stdout/5820
@@ -24,6 +24,7 @@
 ### A server insecurely serving a good TLSA record, dane required (delivery should fail)
 ### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
 ### A server insecurely serving a good A record, dane required (delivery should fail)
+### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
 ### A server with a name not matching the cert.  TA-mode; should fail
 ### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
 
@@ -45,5 +46,6 @@
 ### A server insecurely serving a good TLSA record, dane required (delivery should fail)
 ### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
 ### A server insecurely serving a good A record, dane required (delivery should fail)
+### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
 ### A server with a name not matching the cert.  TA-mode; should fail
 ### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
-- 
cgit v1.2.3