lib-ssl-iostream: Allow skipping CRL check

diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index 60c3ba32ed627736cd96eabd5ccc3c13132ec1d6..f39a51d5e299a4fc54deb6e0df2bae94fc367e44 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -279,11 +279,13 @@ ssl_iostream_ctx_verify_remote_cert(struct ssl_iostream_context *ctx,
                                    STACK_OF(X509_NAME) *ca_names)
 {
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
-       X509_STORE *store;
+       if (!ctx->set->skip_crl_check) {
+               X509_STORE *store;
 
-       store = SSL_CTX_get_cert_store(ctx->ssl_ctx);
-       X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
-                            X509_V_FLAG_CRL_CHECK_ALL);
+               store = SSL_CTX_get_cert_store(ctx->ssl_ctx);
+               X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
+                                    X509_V_FLAG_CRL_CHECK_ALL);
+       }
 #endif
 
        SSL_CTX_set_client_CA_list(ctx->ssl_ctx, ca_names);

diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h
index 61035591206522650845bed2c7e36f4ffc50c049..13260966bccb7110d1133720c0c8c9ab669931c0 100644 (file)
--- a/src/lib-ssl-iostream/iostream-ssl.h
+++ b/src/lib-ssl-iostream/iostream-ssl.h
@@ -24,6 +24,7 @@ struct ssl_iostream_settings {
        const char *crypto_device; /* context-only */
 
        bool verbose, verbose_invalid_cert; /* stream-only */
+       bool skip_crl_check;
        bool verify_remote_cert; /* neither/both */
        bool allow_invalid_cert; /* stream-only */
        bool prefer_server_ciphers;