Enabled DANE only when at least one TLSA RR was added
authorViktor Dukhovni <openssl-users@dukhovni.org>
Fri, 22 Apr 2016 00:00:58 +0000 (20:00 -0400)
committerViktor Dukhovni <openssl-users@dukhovni.org>
Fri, 22 Apr 2016 14:41:57 +0000 (10:41 -0400)
commit9f6b22b814a306677f6d5a829cf7fd62005ecdc2
treee6420ac6d4a61e5b0eefb3e5a59b4260f42e3e0f
parentee85fc1dd67faebdeecb8fe8834facaee0566324
Enabled DANE only when at least one TLSA RR was added

It is up to the caller of SSL_dane_tlsa_add() to take appropriate
action when no records are added successfully or adding some records
triggers an internal error (negative return value).

With this change the caller can continue with PKIX if desired when
none of the TLSA records are usable, or take some appropriate action
if DANE is required.

Also fixed the internal ssl_dane_dup() function to properly initialize
the TLSA RR stack in the target SSL handle.  Errors in ssl_dane_dup()
are no longer ignored.

Reviewed-by: Rich Salz <rsalz@openssl.org>
doc/ssl/SSL_CTX_dane_enable.pod
include/internal/dane.h
ssl/ssl_lib.c