Update docs with details of OS X certificate handling.

INSTALL

@@ -254,6 +254,12 @@ not `/usr/local'.  It is recommended to use the following options:
 
      ./configure --prefix=/boot/common
 
+   On Mac OSX getdns will not build against the version of OpenSSL shipped with 
+OSX. If you link against a self-complied version of OpenSSL then manual 
+configuration of certificates is required for TLS authentication to work, 
+however if linking against the version of OpenSSL installed via Homebrew TLS 
+authentication will work out of the box.
+
 Specifying the System Type
 ==========================
 

README.md

@@ -89,6 +89,7 @@ External dependencies are linked outside the getdns API build tree (we rely on c
 * [libunbound from NLnet Labs](http://www.nlnetlabs.nl/projects/unbound/) version 1.4.16 or later
 * [libexpat](http://expat.sourceforge.net/) for libunbound.
 * [libidn from the FSF](http://www.gnu.org/software/libidn/) version 1.
+* [libopenssl from the OpenSSL Project](https://www.openssl.org/) version 0.9.7 or later. (Note: version 1.0.2 or later is required for TLS support)
 * Doxygen is used to generate documentation, while this is not technically necessary for the build it makes things a lot more pleasant.
 
 You have to install the library and also the library-devel (or -dev) for your
@@ -149,8 +150,6 @@ There are a few known issues which we have summarized below - the most recent
 and helpful list is being maintained in the git issues list in the repository.
 Other known issues are being managed in the git repository issue list.
 
-* (#113) Changing the resolution type between stub and recursive after a query has been issued with a context will not work - the previous resolution type will continue to be used.  If you want to change the resolution type you will need to create a new context and set the resolution type for that context.
-
 * When doing a synchronous lookup with a context that has outstanding asynchronous lookups, the callbacks for the asynchronous lookups might get called as a side effect of the synchronous lookup.
 
 
@@ -214,6 +213,9 @@ build the packages, this is simplythe one we chose to use.
 
     create dmg
 
+    A self-compiled version of OpenSSL or the version installed via Homebrew is required.
+    Note: If using a self-compiled version manual configuration of certificates is required for TLS authentication to wokr
+
 #### Homebrew
 
 If you're using [Homebrew](http://brew.sh/), you may run `brew install getdns`.  By default, this will only build the core library without any 3rd party event loop support.
@@ -222,7 +224,7 @@ To install the [event loop integration libraries](https://github.com/getdnsapi/g
 
 Note that in order to compile the examples, the `--with-libevent` switch is required.
 
-As of the 0.2.0 release, when installing via Homebrew, the trust anchor is expected to be located at `$(brew --prefix)/etc/getdns-root.key`.  Additionally, the openssl lib installed by Homebrew is linked against.
+As of the 0.2.0 release, when installing via Homebrew, the trust anchor is expected to be located at `$(brew --prefix)/etc/getdns-root.key`.  Additionally, the OpenSSL library installed by Homebrew is linked against. Note that the Homebrew OpenSSL installation clones the Keychain certificates to the default OpenSSL location so TLS authentication should work out of the box.
 
 Contributors
 ============

src/context.c

@@ -578,6 +578,27 @@ priv_getdns_upstream_shutdown(getdns_upstream *upstream)
 		close(fd);
 }
 
+static int
+tls_is_in_transports_list(getdns_context *context) {
+	for (int i=0; i< context->dns_transport_count;i++) {
+		if (context->dns_transports[i] == GETDNS_TRANSPORT_TLS ||
+		    context->dns_transports[i] == GETDNS_TRANSPORT_STARTTLS)
+			return 1;
+	}
+	return 0;
+}
+
+static int
+tls_only_is_in_transports_list(getdns_context *context) {
+	if (context->dns_transport_count != 1)
+		return 0;
+	if (context->dns_transports[0] == GETDNS_TRANSPORT_TLS ||
+		context->dns_transports[0] == GETDNS_TRANSPORT_STARTTLS)
+			return 1;
+	return 0;
+}
+
+
 static int
 net_req_query_id_cmp(const void *id1, const void *id2)
 {
@@ -2140,8 +2161,8 @@ getdns_context_prepare_for_resolution(struct getdns_context *context,
 
 	/* Transport can in theory be set per query in stub mode */
 	if (context->resolution_type == GETDNS_RESOLUTION_STUB) {
-		/*TODO[TLS]: Check if TLS is in the list of transports.*/
-		if (context->tls_ctx == NULL) {
+		if (tls_is_in_transports_list(context) == 1 &&
+		    context->tls_ctx == NULL) {
 #ifdef HAVE_LIBTLS1_2
 			/* Create client context, use TLS v1.2 only for now */
 			context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
@@ -2157,9 +2178,7 @@ getdns_context_prepare_for_resolution(struct getdns_context *context,
     /* Note: If TLS is used in recursive mode this will try TLS on port
      * 53 so it is blocked here.  So is 'STARTTLS only' at the moment. */
 	if (context->resolution_type == GETDNS_RESOLUTION_RECURSING &&
-		context->dns_transport_count == 1 && 
-	    (context->dns_transports[0] == GETDNS_TRANSPORT_TLS ||
-	     context->dns_transports[0] == GETDNS_TRANSPORT_STARTTLS))
+		tls_only_is_in_transports_list(context) == 1)
 		return GETDNS_RETURN_BAD_CONTEXT;
 
 	if (context->resolution_type_set == context->resolution_type)

src/stub.c

@@ -826,7 +826,7 @@ static SSL*
 tls_create_object(getdns_context *context, int fd, const char* auth_name)
 {
 	/* Create SSL instance */
-	if (context->tls_ctx == NULL)
+	if (context->tls_ctx == NULL || auth_name == NULL)
 		return NULL;
 	SSL* ssl = SSL_new(context->tls_ctx);
 	X509_VERIFY_PARAM *param;
@@ -896,6 +896,7 @@ tls_do_handshake(getdns_upstream *upstream)
 				upstream->tls_hs_state = GETDNS_HS_WRITE;
 				return STUB_TCP_AGAIN;
 			default:
+				DEBUG_STUB("--- %s %s %d\n", __FUNCTION__, "Handshake failed: ", want);
 				return tls_cleanup(upstream);
 	   }
 	}