From: Aki Tuomi Date: Mon, 3 Oct 2016 09:38:35 +0000 (+0300) Subject: lib-ssl-iostream: Allow skipping CRL check X-Git-Tag: 2.3.0.rc1~684 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=978edad8fbaebab8cac435ec7e2dbf330b5d1170;p=thirdparty%2Fdovecot%2Fcore.git lib-ssl-iostream: Allow skipping CRL check --- diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index 60c3ba32ed..f39a51d5e2 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -279,11 +279,13 @@ ssl_iostream_ctx_verify_remote_cert(struct ssl_iostream_context *ctx, STACK_OF(X509_NAME) *ca_names) { #if OPENSSL_VERSION_NUMBER >= 0x00907000L - X509_STORE *store; + if (!ctx->set->skip_crl_check) { + X509_STORE *store; - store = SSL_CTX_get_cert_store(ctx->ssl_ctx); - X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | - X509_V_FLAG_CRL_CHECK_ALL); + store = SSL_CTX_get_cert_store(ctx->ssl_ctx); + X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | + X509_V_FLAG_CRL_CHECK_ALL); + } #endif SSL_CTX_set_client_CA_list(ctx->ssl_ctx, ca_names); diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h index 6103559120..13260966bc 100644 --- a/src/lib-ssl-iostream/iostream-ssl.h +++ b/src/lib-ssl-iostream/iostream-ssl.h @@ -24,6 +24,7 @@ struct ssl_iostream_settings { const char *crypto_device; /* context-only */ bool verbose, verbose_invalid_cert; /* stream-only */ + bool skip_crl_check; bool verify_remote_cert; /* neither/both */ bool allow_invalid_cert; /* stream-only */ bool prefer_server_ciphers;