Hi all, I have some code that wants to verify a X509 certificate against DANE, and on the happy path it's working great. What's weird is a particular failure case that returns verify ok instead of DANE mismatch. If I start by calling SSL_dane_enable() passing the basename, but then the DNS lookup returns zero records which results in me calling SSL_dane_tlsa_add() zero times, I expect a call to X509_verify_cert() would return a verification mismatch given there is nothing to match. Instead I get a verify ok, which is unexpected. If I get at least one invalid DNS response (on purpose) and supply it to SSL_dane_tlsa_add(), I get a X509_V_ERR_DANE_NO_MATCH as expected. Is this expected behaviour? This would imply that I need to keep track of the number of times I call SSL_dane_tlsa_add(), and prior to X509_verify_cert() fail the verify in advance. This seems a little unclean, ideally X509_verify_cert() should be doing all the work. Am I doing something wrong? Regards, Graham -- -- You received this message because you are subscribed to the Google Groups "openssl-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx. To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/C9EB457D-4DA8-4661-80AB-E8CC7BC09AA7%40sharp.fm.
