www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-05 16:55:50 +03:00
Code Activity

mod_ssl: Add no_crl_for_cert_ok flag to SSLCARevocationCheck directive

Browse Source 
to opt-in previous behaviour (2.2) with CRLs verification when checking
certificate(s) with no corresponding CRL.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1734561 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Yann Ylavic
2016-03-11 13:51:17 +00:00
parent cdfb2f5fd6
commit bafafe600b
7 changed files with 100 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
modules/ssl/ssl_engine_kernel.c
View File

@@ -1581,10 +1581,11 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
ssl_log_cxerror(SSLLOG_MARK, APLOG_DEBUG, 0, conn,
X509_STORE_CTX_get_current_cert(ctx), APLOGNO(02275)
"Certificate Verification, depth %d, "
"CRL checking mode: %s", errdepth,
"CRL checking mode: %s (%x)", errdepth,
mctx->crl_check_mode == SSL_CRLCHECK_CHAIN ?
"chain" : (mctx->crl_check_mode == SSL_CRLCHECK_LEAF ?
"leaf" : "none"));
"leaf" : "none"),
mctx->crl_check_flags);
/*
* Check for optionally acceptable non-verifiable issuer situation
@@ -1633,6 +1634,12 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
X509_STORE_CTX_set_error(ctx, -1);
}
if (!ok && errnum == X509_V_ERR_UNABLE_TO_GET_CRL
&& (sc->server->crl_check_flags & MODSSL_CCF_NO_CRL_FOR_CERT_OK)) {
errnum = X509_V_OK;
ok = TRUE;
}
#ifndef OPENSSL_NO_OCSP
/*
* Perform OCSP-based revocation checks