Viktor Dukhovni:
> On Fri, Aug 21, 2020 at 03:11:50PM -0400, Wietse Venema wrote:
>
> > Viktor Dukhovni:
> > > On Fri, Aug 21, 2020 at 10:59:11AM -0400, Wietse Venema wrote:
> > >
> > > > > Viktor Dukhovni:
> > > > > > - &&TLS_DANE_BASED(state->client_start_props->tls_level))
> > > > > > + && TLS_DANE_HASTA(state->client_start_props->dane))
> > > > > > msg_warn("%s: DANE requested, but not available",
> > > > > > state->client_start_props->namaddr);
> > > >
> > > > Should there be a warning when tls_dane_avail() fails AND the
> > > > TLS_DANE_BASED is true?
> > >
> > > Not needed if TLS_DANE_HASTA is not true, because:
> >
> > In that case, can you can suggest a more appropriate warning message?
> > The text no longer matches the error condition.
>
> Fair point. The warning message could/should read:
>
> msg_warn("%s: DANE or local trust anchor based chain"
> " verification requested, but not available",
> state->client_start_props->namaddr);
DANE verification requested? This condition triggers when
the SMTP client (or posttls-finger) specifies an explicit trust
anchor. They do not request DANE.
Are you saying that the condition can also trigger when the
SMTP client (or posttls-finger) tries to enforce DANE?
Wietse
Wietse
