From 80f63d667824867b325371f0e7ede0315d82bd79 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Sat, 16 Jan 2016 15:29:44 -0500 Subject: [PATCH] Make SSL_dane_enable() requirement more clear. Also s/s/ssl/ as appropriate in the code example. Suggested by Claus Assmann. Reviewed-by: Rich Salz --- doc/ssl/SSL_CTX_dane_enable.pod | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/ssl/SSL_CTX_dane_enable.pod b/doc/ssl/SSL_CTX_dane_enable.pod index c3c203ef6a..3ffc675ce3 100644 --- a/doc/ssl/SSL_CTX_dane_enable.pod +++ b/doc/ssl/SSL_CTX_dane_enable.pod @@ -54,8 +54,8 @@ of the DANE TLSA parameter acronyms) is mapped to C with a strength ordinal of C<1> and matching type C is mapped to C with a strength ordinal of C<2>. -SSL_dane_enable() may be called before the SSL handshake is -initiated with L to enable DANE for that connection. +SSL_dane_enable() must be called before the SSL handshake is initiated with +L if (and only if) you want to enable DANE for that connection. (The connection must be associated with a DANE-enabled SSL context). The B argument specifies the RFC7671 TLSA base domain, which will be the primary peer reference identifier for certificate @@ -210,9 +210,9 @@ the lifetime of the SSL connection. const char *peername = SSL_get0_peername(ssl); EVP_PKEY *mspki = NULL; - int depth = SSL_get0_dane_authority(s, NULL, &mspki); + int depth = SSL_get0_dane_authority(ssl, NULL, &mspki); if (depth >= 0) { - (void) SSL_get0_dane_tlsa(s, &usage, &selector, &mtype, NULL, NULL); + (void) SSL_get0_dane_tlsa(ssl, &usage, &selector, &mtype, NULL, NULL); printf("DANE TLSA %d %d %d %s at depth %d\n", usage, selector, mtype, (mspki != NULL) ? "TA public key verified certificate" : depth ? "matched TA certificate" : "matched EE certificate", -- 2.40.0