Override an unchanged default hosts_request_ocsp when DANE is used

[exim.git] / src / src / tls-openssl.c

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index de2e7a3bd4d8aa960b04850588f2b328f9e71859..3431226156fd587cde8483e8766a3f1eb712ceec 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1771,11 +1771,28 @@ else if (dane_required)
 
 #ifndef DISABLE_OCSP
   {
-  require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
-    NULL, host->name, host->address, NULL) == OK;
-  request_ocsp = require_ocsp ? TRUE
-    : verify_check_this_host(&ob->hosts_request_ocsp,
-       NULL, host->name, host->address, NULL) == OK;
+  if ((require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
+    NULL, host->name, host->address, NULL) == OK))
+    request_ocsp = TRUE;
+  else
+    {
+# ifdef EXPERIMENTAL_DANE
+    if (  dane
+       && ob->hosts_request_ocsp[0] == '*'
+       && ob->hosts_request_ocsp[1] == '\0'
+       )
+      {
+      /* Unchanged from default.  Use a safer one under DANE */
+      request_ocsp = TRUE;
+      ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
+                                       "   {= {4}{$tls_out_tlsa_usage}} } "
+                                  " {*}{}}";
+      }
+    else
+# endif
+      request_ocsp = verify_check_this_host(&ob->hosts_request_ocsp,
+         NULL, host->name, host->address, NULL) == OK;
+    }
   }
 #endif