Enable OCSP

diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index f1414287d64aa64fdf3a6124b6f4350827a2e557..b1b89e0070bc0f1f8cafb8a7798d1d515edfebb2 100644 (file)
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -1234,7 +1234,8 @@ must have a correct name (SubjectName or SubjectAltName).
 
 The use of OCSP-stapling should be considered, allowing
 for fast revocation of certificates (which would otherwise
-be limited by the DNS TTL on the TLSA records).
+be limited by the DNS TTL on the TLSA records).  However,
+this is likely to only be usable with DANE_TA.
 
 
 For client-side DANE there are two new smtp transport options,
@@ -1252,12 +1253,13 @@ If dane is in use the following transport options are ignored:
   tls_verify_certificates
   tls_crl
   tls_verify_cert_hostnames
-  hosts_require_ocsp           (might rethink those two)
-  hosts_request_ocsp
 
 Currently dnssec_request_domains must be active (need to think about that)
 and dnssec_require_domains is ignored.
 
+If verification was successful using DANE then the "CV" item
+in the delivery log line will show as "CV=dane".
+
 
 --------------------------------------------------------------
 End of file

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index c05253f732d910579a68d7a666b0aed4e6766927..1ec7786bd55c39e122d6fc077b6b56ab40c79a36 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1696,7 +1696,6 @@ else if (dane_required)
   return FAIL;
   }
 
-if (!dane)     /*XXX todo: enable ocsp with dane */
 #endif
 
 #ifndef DISABLE_OCSP