Gitweb:
http://git.exim.org/exim.git/commitdiff/eeb9276b22cd991157c46a068a85ffe59b948d75
Commit: eeb9276b22cd991157c46a068a85ffe59b948d75
Parent: 82525c6fc2b2c12202b93250c2774bf50baae300
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Aug 10 21:52:24 2014 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sun Aug 10 21:52:24 2014 +0100
Enable OCSP
---
doc/doc-txt/experimental-spec.txt | 8 +++++---
src/src/tls-openssl.c | 1 -
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index f141428..b1b89e0 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -1234,7 +1234,8 @@ must have a correct name (SubjectName or SubjectAltName).
The use of OCSP-stapling should be considered, allowing
for fast revocation of certificates (which would otherwise
-be limited by the DNS TTL on the TLSA records).
+be limited by the DNS TTL on the TLSA records). However,
+this is likely to only be usable with DANE_TA.
For client-side DANE there are two new smtp transport options,
@@ -1252,12 +1253,13 @@ If dane is in use the following transport options are ignored:
tls_verify_certificates
tls_crl
tls_verify_cert_hostnames
- hosts_require_ocsp (might rethink those two)
- hosts_request_ocsp
Currently dnssec_request_domains must be active (need to think about that)
and dnssec_require_domains is ignored.
+If verification was successful using DANE then the "CV" item
+in the delivery log line will show as "CV=dane".
+
--------------------------------------------------------------
End of file
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index c05253f..1ec7786 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1696,7 +1696,6 @@ else if (dane_required)
return FAIL;
}
-if (!dane) /*XXX todo: enable ocsp with dane */
#endif
#ifndef DISABLE_OCSP
