Skip to content
Commit 9f6b22b8 authored by Viktor Dukhovni's avatar Viktor Dukhovni
Browse files

Enabled DANE only when at least one TLSA RR was added



It is up to the caller of SSL_dane_tlsa_add() to take appropriate
action when no records are added successfully or adding some records
triggers an internal error (negative return value).

With this change the caller can continue with PKIX if desired when
none of the TLSA records are usable, or take some appropriate action
if DANE is required.

Also fixed the internal ssl_dane_dup() function to properly initialize
the TLSA RR stack in the target SSL handle.  Errors in ssl_dane_dup()
are no longer ignored.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent ee85fc1d
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment