Fail a DANE-mode verify on totally missing certificate

author Jeremy Harris <jgh146exb@wizmail.org>

Thu, 4 Dec 2014 19:17:47 +0000 (19:17 +0000)

committer Jeremy Harris <jgh146exb@wizmail.org>

Thu, 4 Dec 2014 19:17:47 +0000 (19:17 +0000)
author Jeremy Harris <jgh146exb@wizmail.org>
Thu, 4 Dec 2014 19:17:47 +0000 (19:17 +0000)
committer Jeremy Harris <jgh146exb@wizmail.org>
Thu, 4 Dec 2014 19:17:47 +0000 (19:17 +0000)
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c

index 9aa655e8251f79a177d4f9b73135554989e33ba2..c23ac031f5b544f6486710e4e8b24344c0a539e6 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1872,7 +1872,9 @@ if (expciphers != NULL)
  #ifdef EXPERIMENTAL_DANE
  if (tlsa_dnsa)
    {
-  SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, verify_callback_client_dane);
+  SSL_CTX_set_verify(client_ctx,
+    SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+    verify_callback_client_dane);
  
    if (!DANESSL_library_init())
      return tls_error(US"library init", host, NULL);
author	Jeremy Harris <jgh146exb@wizmail.org>
	Thu, 4 Dec 2014 19:17:47 +0000 (19:17 +0000)
committer	Jeremy Harris <jgh146exb@wizmail.org>
	Thu, 4 Dec 2014 19:17:47 +0000 (19:17 +0000)