From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sun, 10 Aug 2014 20:52:24 +0000 (+0100)
Subject: Enable OCSP
X-Git-Tag: exim-4_85_RC1~67^2~17
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/eeb9276b22cd991157c46a068a85ffe59b948d75

Enable OCSP
---

diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index f1414287d..b1b89e007 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -1234,7 +1234,8 @@ must have a correct name (SubjectName or SubjectAltName).
 
 The use of OCSP-stapling should be considered, allowing
 for fast revocation of certificates (which would otherwise
-be limited by the DNS TTL on the TLSA records).
+be limited by the DNS TTL on the TLSA records).  However,
+this is likely to only be usable with DANE_TA.
 
 
 For client-side DANE there are two new smtp transport options,
@@ -1252,12 +1253,13 @@ If dane is in use the following transport options are ignored:
   tls_verify_certificates
   tls_crl
   tls_verify_cert_hostnames
-  hosts_require_ocsp		(might rethink those two)
-  hosts_request_ocsp
 
 Currently dnssec_request_domains must be active (need to think about that)
 and dnssec_require_domains is ignored.
 
+If verification was successful using DANE then the "CV" item
+in the delivery log line will show as "CV=dane".
+
 
 --------------------------------------------------------------
 End of file
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index c05253f73..1ec7786bd 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1696,7 +1696,6 @@ else if (dane_required)
   return FAIL;
   }
 
-if (!dane)	/*XXX todo: enable ocsp with dane */
 #endif
 
 #ifndef DISABLE_OCSP