Override an unchanged default hosts_request_ocsp when DANE is used

diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index c060a6c5a99856e2b7c77b9ccbbc767eaaced660..80e970cc107e10210d9bbbbacd571d65744d5ea4 100644 (file)
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -1236,24 +1236,23 @@ The use of OCSP-stapling should be considered, allowing
 for fast revocation of certificates (which would otherwise
 be limited by the DNS TTL on the TLSA records).  However,
 this is likely to only be usable with DANE_TA.  NOTE: the
-default is to request OCSP for all hosts; the certificate
-chain in DANE_EE usage will be insufficient to validate
-the OCSP proof and verification will fail.  Either disable
-OCSP completely or use the (new) variable $tls_out_tlsa_usage
-like so:
-
-  hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \
-                                {= {0}{$tls_out_tlsa_usage}} } \
+default of requesting OCSP for all hosts is modified iff
+DANE is in use, to:
+
+  hosts_request_ocsp = ${if or { {= {0}{$tls_out_tlsa_usage}} \
+                                {= {4}{$tls_out_tlsa_usage}} } \
                          {*}{}}
-The variable is a bitfield with numbered bits set for TLSA
-record usage codes. The zero above means DANE was not in use,
+
+The (new) variable $tls_out_tlsa_usage is a bitfield with
+numbered bits set for TLSA record usage codes.
+The zero above means DANE was not in use,
 the four means that only DANE_TA usage TLSA records were
 found. If the definition of hosts_require_ocsp or
 hosts_request_ocsp includes the string "tls_out_tlsa_usage",
 they are re-expanded in time to control the OCSP request.
 
-[ All a bit complicated.  Should we make that definition
-the default?  Should we override the user's definition? ]
+This modification of hosts_request_ocsp is only done if
+it has the default value of "*".
 
 
 For client-side DANE there are two new smtp transport options,

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index de2e7a3bd4d8aa960b04850588f2b328f9e71859..3431226156fd587cde8483e8766a3f1eb712ceec 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1771,11 +1771,28 @@ else if (dane_required)
 
 #ifndef DISABLE_OCSP
   {
-  require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
-    NULL, host->name, host->address, NULL) == OK;
-  request_ocsp = require_ocsp ? TRUE
-    : verify_check_this_host(&ob->hosts_request_ocsp,
-       NULL, host->name, host->address, NULL) == OK;
+  if ((require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
+    NULL, host->name, host->address, NULL) == OK))
+    request_ocsp = TRUE;
+  else
+    {
+# ifdef EXPERIMENTAL_DANE
+    if (  dane
+       && ob->hosts_request_ocsp[0] == '*'
+       && ob->hosts_request_ocsp[1] == '\0'
+       )
+      {
+      /* Unchanged from default.  Use a safer one under DANE */
+      request_ocsp = TRUE;
+      ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
+                                       "   {= {4}{$tls_out_tlsa_usage}} } "
+                                  " {*}{}}";
+      }
+    else
+# endif
+      request_ocsp = verify_check_this_host(&ob->hosts_request_ocsp,
+         NULL, host->name, host->address, NULL) == OK;
+    }
   }
 #endif
 

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 9abc69d51042959a5ed42fe0d8a15446a286ad7f..1865adee8abba2ae6d0e55a94d69ccc140910a94 100644 (file)
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -216,7 +216,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   NULL,                /* hosts_try_prdr */
 #endif
 #ifndef DISABLE_OCSP
-  US"*",               /* hosts_request_ocsp */
+  US"*",               /* hosts_request_ocsp (except under DANE) */
   NULL,                /* hosts_require_ocsp */
 #endif
   NULL,                /* hosts_require_tls */