From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Fri, 12 Sep 2014 20:13:47 +0000 (+0100)
Subject: Fix needless OCSP request under DANE
X-Git-Tag: exim-4_85_RC1~55
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/4f59c424dabfc69b7313d84685df68dd406d6ff9

Fix needless OCSP request under DANE
usage 3 and with require_ocsp in play though inactive
---

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 28597c352..e5f307882 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -26309,7 +26309,7 @@ an identically named option for the &(smtp)& transport. In each case, the value
 of the option is expanded and must then be the name of a file that contains a
 CRL in PEM format.
 The downside is that clients have to periodically re-download a potentially huge
-file from every certificate authority the know of.
+file from every certificate authority they know of.
 
 The way with most moving parts at query time is Online Certificate
 Status Protocol (OCSP), where the client verifies the certificate
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 7d9ab8b4d..b77ed32e1 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1784,28 +1784,29 @@ tls_out.tlsa_usage = 0;
 
 #ifndef DISABLE_OCSP
   {
+# ifdef EXPERIMENTAL_DANE
+  if (  tlsa_dnsa
+     && ob->hosts_request_ocsp[0] == '*'
+     && ob->hosts_request_ocsp[1] == '\0'
+     )
+    {
+    /* Unchanged from default.  Use a safer one under DANE */
+    request_ocsp = TRUE;
+    ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
+				      "   {= {4}{$tls_out_tlsa_usage}} } "
+				 " {*}{}}";
+    }
+# endif
+
   if ((require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
     NULL, host->name, host->address, NULL) == OK))
     request_ocsp = TRUE;
   else
-    {
 # ifdef EXPERIMENTAL_DANE
-    if (  tlsa_dnsa
-       && ob->hosts_request_ocsp[0] == '*'
-       && ob->hosts_request_ocsp[1] == '\0'
-       )
-      {
-      /* Unchanged from default.  Use a safer one under DANE */
-      request_ocsp = TRUE;
-      ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
-					"   {= {4}{$tls_out_tlsa_usage}} } "
-				   " {*}{}}";
-      }
-    else
+    if (!request_ocsp)
 # endif
       request_ocsp = verify_check_this_host(&ob->hosts_request_ocsp,
 	  NULL, host->name, host->address, NULL) == OK;
-    }
   }
 #endif