From 28646fa9c74b94722eadd7bc2d9c285245aded80 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 20 Dec 2017 21:14:06 +0000
Subject: DANE/GnuTLS: ignore traditional CA anchor validation in DANE-EE mode

Not quite right for a mixed TA+EE set of TLSA records, but better than always-enforcing
---
 test/stdout/5840 | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'test/stdout/5840')

diff --git a/test/stdout/5840 b/test/stdout/5840
index 36a3bd158..947f802a7 100644
--- a/test/stdout/5840
+++ b/test/stdout/5840
@@ -25,6 +25,8 @@
 ### A server insecurely serving a good TLSA record, dane required (delivery should fail)
 ### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
 ### A server insecurely serving a good A record, dane required (delivery should fail)
+### A server with a name not matching the cert.  TA-mode; should fail
+### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
 
 ******** SERVER ********
 ### TLSA (3 1 1)
@@ -45,3 +47,5 @@
 ### A server insecurely serving a good TLSA record, dane required (delivery should fail)
 ### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
 ### A server insecurely serving a good A record, dane required (delivery should fail)
+### A server with a name not matching the cert.  TA-mode; should fail
+### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
-- 
cgit v1.2.3