#
ca_file = ${cadir}/ca.pem
+ ca_file = foo
+
# OpenSSL will automatically create certificate chains,
# unless we tell it to not do that. The problem is that
# it sometimes gets the chains right from a certificate
# default configuration. Uncomment it, and configure
# the correct paths below to enable it.
#
+ # If OCSP checking is enabled, and the OCSP checks fail,
+ # the verify section is skipped.
+ #
verify {
+ # If the OCSP checks succeed, the verify section
+ # is run to allow additional checks.
+ #
+ # If you want to skip verify on OCSP success,
+ # uncomment this configuration item, and set it
+ # to "yes".
+ # skip_if_ocsp_ok = no
+
# A temporary directory where the client
# certificates are stored. This directory
# MUST be owned by the UID of the server,
char session_context_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
time_t session_last_flushed;
+ bool verify_skip_if_ocsp_ok;
char const *verify_tmp_dir;
char const *verify_client_cert_cmd;
bool require_client_cert;
};
static CONF_PARSER verify_config[] = {
+ { "skip_if_ocsp_ok", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, verify_skip_if_ocsp_ok), "no" },
{ "tmpdir", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, verify_tmp_dir), NULL },
{ "client", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, verify_client_cert_cmd), NULL },
CONF_PARSER_TERMINATOR
* If OCSP checks fail, don't run the verify
* command. The user will be rejected no matter
* what, so we might as well do less work.
+ *
+ * If OCSP checks succeed, we may want to skip the verify section.
*/
- if (my_ok) while (conf->verify_client_cert_cmd) {
+ if (my_ok
+#ifdef HAVE_OPENSSL_OCSP_H
+ && conf->ocsp_enable && (conf->verify_skip_if_ocsp_ok) && (my_ok == 1)
+#endif
+ ) while (conf->verify_client_cert_cmd) {
char filename[256];
int fd;
FILE *fp;
projects / thirdparty / freeradius-server.git / commitdiff
