Gitweb:
http://git.exim.org/exim.git/commitdiff/4f59c424dabfc69b7313d84685df68dd406d6ff9
Commit: 4f59c424dabfc69b7313d84685df68dd406d6ff9
Parent: 0eb51736637f6c93a2fd6cb65316f8ae11f0a0be
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Fri Sep 12 21:13:47 2014 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Fri Sep 12 21:13:47 2014 +0100
Fix needless OCSP request under DANE
usage 3 and with require_ocsp in play though inactive
---
doc/doc-docbook/spec.xfpt | 2 +-
src/src/tls-openssl.c | 29 +++++++++++++++--------------
2 files changed, 16 insertions(+), 15 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 28597c3..e5f3078 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -26309,7 +26309,7 @@ an identically named option for the &(smtp)& transport. In each case, the value
of the option is expanded and must then be the name of a file that contains a
CRL in PEM format.
The downside is that clients have to periodically re-download a potentially huge
-file from every certificate authority the know of.
+file from every certificate authority they know of.
The way with most moving parts at query time is Online Certificate
Status Protocol (OCSP), where the client verifies the certificate
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 7d9ab8b..b77ed32 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1784,28 +1784,29 @@ tls_out.tlsa_usage = 0;
#ifndef DISABLE_OCSP
{
+# ifdef EXPERIMENTAL_DANE
+ if ( tlsa_dnsa
+ && ob->hosts_request_ocsp[0] == '*'
+ && ob->hosts_request_ocsp[1] == '\0'
+ )
+ {
+ /* Unchanged from default. Use a safer one under DANE */
+ request_ocsp = TRUE;
+ ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
+ " {= {4}{$tls_out_tlsa_usage}} } "
+ " {*}{}}";
+ }
+# endif
+
if ((require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
NULL, host->name, host->address, NULL) == OK))
request_ocsp = TRUE;
else
- {
# ifdef EXPERIMENTAL_DANE
- if ( tlsa_dnsa
- && ob->hosts_request_ocsp[0] == '*'
- && ob->hosts_request_ocsp[1] == '\0'
- )
- {
- /* Unchanged from default. Use a safer one under DANE */
- request_ocsp = TRUE;
- ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
- " {= {4}{$tls_out_tlsa_usage}} } "
- " {*}{}}";
- }
- else
+ if (!request_ocsp)
# endif
request_ocsp = verify_check_this_host(&ob->hosts_request_ocsp,
NULL, host->name, host->address, NULL) == OK;
- }
}
#endif
