Gitweb:
http://git.exim.org/exim.git/commitdiff/fca41d5a245023376c7d7716a3f84abc2aaa4b8e
Commit: fca41d5a245023376c7d7716a3f84abc2aaa4b8e
Parent: b50c8b8487f906a7e18580e9020783afde09d9f7
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Aug 17 16:38:32 2014 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sun Aug 17 16:38:32 2014 +0100
Override an unchanged default hosts_request_ocsp when DANE is used
---
doc/doc-txt/experimental-spec.txt | 23 +++++++++++------------
src/src/tls-openssl.c | 27 ++++++++++++++++++++++-----
src/src/transports/smtp.c | 2 +-
3 files changed, 34 insertions(+), 18 deletions(-)
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index c060a6c..80e970c 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -1236,24 +1236,23 @@ The use of OCSP-stapling should be considered, allowing
for fast revocation of certificates (which would otherwise
be limited by the DNS TTL on the TLSA records). However,
this is likely to only be usable with DANE_TA. NOTE: the
-default is to request OCSP for all hosts; the certificate
-chain in DANE_EE usage will be insufficient to validate
-the OCSP proof and verification will fail. Either disable
-OCSP completely or use the (new) variable $tls_out_tlsa_usage
-like so:
-
- hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \
- {= {0}{$tls_out_tlsa_usage}} } \
+default of requesting OCSP for all hosts is modified iff
+DANE is in use, to:
+
+ hosts_request_ocsp = ${if or { {= {0}{$tls_out_tlsa_usage}} \
+ {= {4}{$tls_out_tlsa_usage}} } \
{*}{}}
-The variable is a bitfield with numbered bits set for TLSA
-record usage codes. The zero above means DANE was not in use,
+
+The (new) variable $tls_out_tlsa_usage is a bitfield with
+numbered bits set for TLSA record usage codes.
+The zero above means DANE was not in use,
the four means that only DANE_TA usage TLSA records were
found. If the definition of hosts_require_ocsp or
hosts_request_ocsp includes the string "tls_out_tlsa_usage",
they are re-expanded in time to control the OCSP request.
-[ All a bit complicated. Should we make that definition
-the default? Should we override the user's definition? ]
+This modification of hosts_request_ocsp is only done if
+it has the default value of "*".
For client-side DANE there are two new smtp transport options,
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index de2e7a3..3431226 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1771,11 +1771,28 @@ else if (dane_required)
#ifndef DISABLE_OCSP
{
- require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
- NULL, host->name, host->address, NULL) == OK;
- request_ocsp = require_ocsp ? TRUE
- : verify_check_this_host(&ob->hosts_request_ocsp,
- NULL, host->name, host->address, NULL) == OK;
+ if ((require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
+ NULL, host->name, host->address, NULL) == OK))
+ request_ocsp = TRUE;
+ else
+ {
+# ifdef EXPERIMENTAL_DANE
+ if ( dane
+ && ob->hosts_request_ocsp[0] == '*'
+ && ob->hosts_request_ocsp[1] == '\0'
+ )
+ {
+ /* Unchanged from default. Use a safer one under DANE */
+ request_ocsp = TRUE;
+ ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
+ " {= {4}{$tls_out_tlsa_usage}} } "
+ " {*}{}}";
+ }
+ else
+# endif
+ request_ocsp = verify_check_this_host(&ob->hosts_request_ocsp,
+ NULL, host->name, host->address, NULL) == OK;
+ }
}
#endif
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 9abc69d..1865ade 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -216,7 +216,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
NULL, /* hosts_try_prdr */
#endif
#ifndef DISABLE_OCSP
- US"*", /* hosts_request_ocsp */
+ US"*", /* hosts_request_ocsp (except under DANE) */
NULL, /* hosts_require_ocsp */
#endif
NULL, /* hosts_require_tls */