From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Wed, 28 Feb 2018 12:22:04 +0000 (+0200)
Subject: login-common: ssl_require_crl works both ways
X-Git-Tag: 2.2.36.rc1~32
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5a56c3320846308907509074f4ec40fa4cdf3d1b;p=thirdparty%2Fdovecot%2Fcore.git

login-common: ssl_require_crl works both ways

It applies for incoming and outgoing connections.
---

diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c
index 76d5a26f10..586cb49eb4 100644
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -915,7 +915,7 @@ static int ssl_verify_client_cert(int preverify_ok, X509_STORE_CTX *ctx)
 	proxy->cert_received = TRUE;
 	ctxerr = X509_STORE_CTX_get_error(ctx);
 
-	if (proxy->client_proxy && !proxy->login_set->ssl_require_crl &&
+	if (!proxy->login_set->ssl_require_crl &&
 	    (ctxerr == X509_V_ERR_UNABLE_TO_GET_CRL ||
 	     ctxerr == X509_V_ERR_CRL_HAS_EXPIRED)) {
 		/* no CRL given with the CA list. don't worry about it. */