lib-master: Use ssl_require_crl setting only for server-side SSL settings

We don't currently properly support checking CRLs when acting as SSL client.
The CRL would have to be stored as part of the CAs, which isn't commonly
done. This bug has been in the code ever since it was added in
30c5c1fc3608ae575f11960281d3e338b6bf7bc8, but it became more noticeable
with recent changes that started using lib-master for getting all SSL
client settings, e.g. 1e5324b5805bf7299cd8196f7b659fe935f027bd

diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c
index 5ddf18cc8a4d9cb41c87087cc7c16138730c3f56..181a83eaa021406c8863919fe266b184d176ed40 100644 (file)
--- a/src/lib-master/master-service-ssl-settings.c
+++ b/src/lib-master/master-service-ssl-settings.c
@@ -232,7 +232,6 @@ static void master_service_ssl_common_settings_to_iostream_set(
 
        set_r->verbose = ssl_set->verbose_ssl;
        set_r->verbose_invalid_cert = ssl_set->verbose_ssl;
-       set_r->skip_crl_check = !ssl_set->ssl_require_crl;
        set_r->prefer_server_ciphers = ssl_set->ssl_prefer_server_ciphers;
        set_r->compression = ssl_set->parsed_opts.compression;
        set_r->tickets = ssl_set->parsed_opts.tickets;
@@ -251,6 +250,8 @@ void master_service_ssl_client_settings_to_iostream_set(
        set_r->cert.key = p_strdup_empty(pool, ssl_set->ssl_client_key);
        set_r->verify_remote_cert = ssl_set->ssl_client_require_valid_cert;
        set_r->allow_invalid_cert = !set_r->verify_remote_cert;
+       /* client-side CRL checking not supported currently */
+       set_r->skip_crl_check = TRUE;
 }
 
 void master_service_ssl_server_settings_to_iostream_set(
@@ -272,4 +273,7 @@ void master_service_ssl_server_settings_to_iostream_set(
        set_r->dh = p_strdup(pool, ssl_server_set->ssl_dh);
        set_r->verify_remote_cert = ssl_set->ssl_verify_client_cert;
        set_r->allow_invalid_cert = !set_r->verify_remote_cert;
+       /* ssl_require_crl is used only for checking client-provided SSL
+          certificate's CRL. */
+       set_r->skip_crl_check = !ssl_set->ssl_require_crl;
 }