[exim-cvs] Fix needless OCSP request under DANE

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Exim Git Commits Mailing List
Fecha:  
A: exim-cvs
Asunto: [exim-cvs] Fix needless OCSP request under DANE
Gitweb: http://git.exim.org/exim.git/commitdiff/4f59c424dabfc69b7313d84685df68dd406d6ff9
Commit:     4f59c424dabfc69b7313d84685df68dd406d6ff9
Parent:     0eb51736637f6c93a2fd6cb65316f8ae11f0a0be
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Fri Sep 12 21:13:47 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Fri Sep 12 21:13:47 2014 +0100


    Fix needless OCSP request under DANE
    usage 3 and with require_ocsp in play though inactive
---
 doc/doc-docbook/spec.xfpt |    2 +-
 src/src/tls-openssl.c     |   29 +++++++++++++++--------------
 2 files changed, 16 insertions(+), 15 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 28597c3..e5f3078 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -26309,7 +26309,7 @@ an identically named option for the &(smtp)& transport. In each case, the value
of the option is expanded and must then be the name of a file that contains a
CRL in PEM format.
The downside is that clients have to periodically re-download a potentially huge
-file from every certificate authority the know of.
+file from every certificate authority they know of.

The way with most moving parts at query time is Online Certificate
Status Protocol (OCSP), where the client verifies the certificate
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 7d9ab8b..b77ed32 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1784,28 +1784,29 @@ tls_out.tlsa_usage = 0;

 #ifndef DISABLE_OCSP
   {
+# ifdef EXPERIMENTAL_DANE
+  if (  tlsa_dnsa
+     && ob->hosts_request_ocsp[0] == '*'
+     && ob->hosts_request_ocsp[1] == '\0'
+     )
+    {
+    /* Unchanged from default.  Use a safer one under DANE */
+    request_ocsp = TRUE;
+    ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
+                      "   {= {4}{$tls_out_tlsa_usage}} } "
+                 " {*}{}}";
+    }
+# endif
+
   if ((require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
     NULL, host->name, host->address, NULL) == OK))
     request_ocsp = TRUE;
   else
-    {
 # ifdef EXPERIMENTAL_DANE
-    if (  tlsa_dnsa
-       && ob->hosts_request_ocsp[0] == '*'
-       && ob->hosts_request_ocsp[1] == '\0'
-       )
-      {
-      /* Unchanged from default.  Use a safer one under DANE */
-      request_ocsp = TRUE;
-      ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
-                    "   {= {4}{$tls_out_tlsa_usage}} } "
-                   " {*}{}}";
-      }
-    else
+    if (!request_ocsp)
 # endif
       request_ocsp = verify_check_this_host(&ob->hosts_request_ocsp,
       NULL, host->name, host->address, NULL) == OK;
-    }
   }
 #endif