TLS: Enable ECDHE on OpenSSL, just the NIST P-256 curve. Bug 1397

[exim.git] / src / src / transports / smtp.c

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index e6f4da8ca83a5c661293026c882d372eb853d503..48bab9599e90638eea213a8b4c5ac4aecd511918 100644 (file)
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -241,8 +241,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   FALSE,               /* gethostbyname */
   TRUE,                /* dns_qualify_single */
   FALSE,               /* dns_search_parents */
-  NULL,                /* dnssec_request_domains */
-  NULL,                /* dnssec_require_domains */
+  { NULL, NULL },      /* dnssec_domains {request,require} */
   TRUE,                /* delay_after_cutoff */
   FALSE,               /* hosts_override */
   FALSE,               /* hosts_randomize */
@@ -1369,7 +1368,7 @@ BOOL utf8_offered = FALSE;
 BOOL dsn_all_lasthop = TRUE;
 #if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
 BOOL dane = FALSE;
-BOOL dane_required;
+BOOL dane_required = verify_check_given_host(&ob->hosts_require_dane, host) == OK;
 dns_answer tlsa_dnsa;
 #endif
 smtp_inblock inblock;
@@ -1456,22 +1455,20 @@ if (continue_hostname == NULL)
     tls_out.dane_verified = FALSE;
     tls_out.tlsa_usage = 0;
 
-    dane_required = verify_check_given_host(&ob->hosts_require_dane, host) == OK;
-
     if (host->dnssec == DS_YES)
       {
       if(  (  dane_required
           || verify_check_given_host(&ob->hosts_try_dane, host) == OK
           )
        && (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK
-       && dane_required
+       && dane_required        /* do not error on only dane-requested */
        )
        {
        set_errno(addrlist, ERRNO_DNSDEFER,
          string_sprintf("DANE error: tlsa lookup %s",
            rc == DEFER ? "DEFER" : "FAIL"),
          rc, FALSE, NULL);
-       return  rc;
+       return rc;
        }
       }
     else if (dane_required)