From eeb9276b22cd991157c46a068a85ffe59b948d75 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 10 Aug 2014 21:52:24 +0100 Subject: [PATCH] Enable OCSP --- doc/doc-txt/experimental-spec.txt | 8 +++++--- src/src/tls-openssl.c | 1 - 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index f1414287d..b1b89e007 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -1234,7 +1234,8 @@ must have a correct name (SubjectName or SubjectAltName). The use of OCSP-stapling should be considered, allowing for fast revocation of certificates (which would otherwise -be limited by the DNS TTL on the TLSA records). +be limited by the DNS TTL on the TLSA records). However, +this is likely to only be usable with DANE_TA. For client-side DANE there are two new smtp transport options, @@ -1252,12 +1253,13 @@ If dane is in use the following transport options are ignored: tls_verify_certificates tls_crl tls_verify_cert_hostnames - hosts_require_ocsp (might rethink those two) - hosts_request_ocsp Currently dnssec_request_domains must be active (need to think about that) and dnssec_require_domains is ignored. +If verification was successful using DANE then the "CV" item +in the delivery log line will show as "CV=dane". + -------------------------------------------------------------- End of file diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index c05253f73..1ec7786bd 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1696,7 +1696,6 @@ else if (dane_required) return FAIL; } -if (!dane) /*XXX todo: enable ocsp with dane */ #endif #ifndef DISABLE_OCSP -- 2.30.2