From: Viktor Dukhovni Date: Sat, 16 Jan 2016 20:29:44 +0000 (-0500) Subject: Make SSL_dane_enable() requirement more clear. X-Git-Tag: OpenSSL_1_1_0-pre3~514 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=80f63d667824867b325371f0e7ede0315d82bd79;p=oweals%2Fopenssl.git Make SSL_dane_enable() requirement more clear. Also s/s/ssl/ as appropriate in the code example. Suggested by Claus Assmann. Reviewed-by: Rich Salz --- diff --git a/doc/ssl/SSL_CTX_dane_enable.pod b/doc/ssl/SSL_CTX_dane_enable.pod index c3c203ef6a..3ffc675ce3 100644 --- a/doc/ssl/SSL_CTX_dane_enable.pod +++ b/doc/ssl/SSL_CTX_dane_enable.pod @@ -54,8 +54,8 @@ of the DANE TLSA parameter acronyms) is mapped to C with a strength ordinal of C<1> and matching type C is mapped to C with a strength ordinal of C<2>. -SSL_dane_enable() may be called before the SSL handshake is -initiated with L to enable DANE for that connection. +SSL_dane_enable() must be called before the SSL handshake is initiated with +L if (and only if) you want to enable DANE for that connection. (The connection must be associated with a DANE-enabled SSL context). The B argument specifies the RFC7671 TLSA base domain, which will be the primary peer reference identifier for certificate @@ -210,9 +210,9 @@ the lifetime of the SSL connection. const char *peername = SSL_get0_peername(ssl); EVP_PKEY *mspki = NULL; - int depth = SSL_get0_dane_authority(s, NULL, &mspki); + int depth = SSL_get0_dane_authority(ssl, NULL, &mspki); if (depth >= 0) { - (void) SSL_get0_dane_tlsa(s, &usage, &selector, &mtype, NULL, NULL); + (void) SSL_get0_dane_tlsa(ssl, &usage, &selector, &mtype, NULL, NULL); printf("DANE TLSA %d %d %d %s at depth %d\n", usage, selector, mtype, (mspki != NULL) ? "TA public key verified certificate" : depth ? "matched TA certificate" : "matched EE certificate",