Skip to content
Commit 5ae4ceb9 authored by Viktor Dukhovni's avatar Viktor Dukhovni
Browse files

Perform DANE-EE(3) name checks by default



In light of potential UKS (unknown key share) attacks on some
applications, primarily browsers, despite RFC761, name checks are
by default applied with DANE-EE(3) TLSA records.  Applications for
which UKS is not a problem can optionally disable DANE-EE(3) name
checks via the new SSL_CTX_dane_set_flags() and friends.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent d83b7e1a
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment