of the option is expanded and must then be the name of a file that contains a
CRL in PEM format.
The downside is that clients have to periodically re-download a potentially huge
-file from every certificate authority the know of.
+file from every certificate authority they know of.
The way with most moving parts at query time is Online Certificate
Status Protocol (OCSP), where the client verifies the certificate
#ifndef DISABLE_OCSP
{
+# ifdef EXPERIMENTAL_DANE
+ if ( tlsa_dnsa
+ && ob->hosts_request_ocsp[0] == '*'
+ && ob->hosts_request_ocsp[1] == '\0'
+ )
+ {
+ /* Unchanged from default. Use a safer one under DANE */
+ request_ocsp = TRUE;
+ ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
+ " {= {4}{$tls_out_tlsa_usage}} } "
+ " {*}{}}";
+ }
+# endif
+
if ((require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
NULL, host->name, host->address, NULL) == OK))
request_ocsp = TRUE;
else
- {
# ifdef EXPERIMENTAL_DANE
- if ( tlsa_dnsa
- && ob->hosts_request_ocsp[0] == '*'
- && ob->hosts_request_ocsp[1] == '\0'
- )
- {
- /* Unchanged from default. Use a safer one under DANE */
- request_ocsp = TRUE;
- ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
- " {= {4}{$tls_out_tlsa_usage}} } "
- " {*}{}}";
- }
- else
+ if (!request_ocsp)
# endif
request_ocsp = verify_check_this_host(&ob->hosts_request_ocsp,
NULL, host->name, host->address, NULL) == OK;
- }
}
#endif