Fail a DANE-mode verify on totally missing certificate
authorJeremy Harris <jgh146exb@wizmail.org>
Thu, 4 Dec 2014 19:17:47 +0000 (19:17 +0000)
committerJeremy Harris <jgh146exb@wizmail.org>
Thu, 4 Dec 2014 19:17:47 +0000 (19:17 +0000)
src/src/tls-openssl.c

index 9aa655e8251f79a177d4f9b73135554989e33ba2..c23ac031f5b544f6486710e4e8b24344c0a539e6 100644 (file)
@@ -1872,7 +1872,9 @@ if (expciphers != NULL)
 #ifdef EXPERIMENTAL_DANE
 if (tlsa_dnsa)
   {
 #ifdef EXPERIMENTAL_DANE
 if (tlsa_dnsa)
   {
-  SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, verify_callback_client_dane);
+  SSL_CTX_set_verify(client_ctx,
+    SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+    verify_callback_client_dane);
 
   if (!DANESSL_library_init())
     return tls_error(US"library init", host, NULL);
 
   if (!DANESSL_library_init())
     return tls_error(US"library init", host, NULL);