Perform DANE-EE(3) name checks by default (5ae4ceb9) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

Commit 5ae4ceb9 authored Jul 10, 2016 by

Viktor Dukhovni

Perform DANE-EE(3) name checks by default



In light of potential UKS (unknown key share) attacks on some
applications, primarily browsers, despite RFC761, name checks are
by default applied with DANE-EE(3) TLSA records.  Applications for
which UKS is not a problem can optionally disable DANE-EE(3) name
checks via the new SSL_CTX_dane_set_flags() and friends.

Reviewed-by: Rich Salz <rsalz@openssl.org>

parent d83b7e1a

Hide whitespace changes

Inline Side-by-side

Please register or to comment