Undocumented command to allow expired CRLs

author Alan T. DeKok <aland@freeradius.org>

Wed, 8 Dec 2010 15:34:54 +0000 (16:34 +0100)

committer Alan T. DeKok <aland@freeradius.org>

Wed, 8 Dec 2010 15:37:14 +0000 (16:37 +0100)
author Alan T. DeKok <aland@freeradius.org>
Wed, 8 Dec 2010 15:34:54 +0000 (16:34 +0100)
committer Alan T. DeKok <aland@freeradius.org>
Wed, 8 Dec 2010 15:37:14 +0000 (16:37 +0100)
diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c

index 067388af595a93dcf6db95e5b6d4c7eee9630cb2..09bf6264bdd4c2a665647f42203c8b0b70578cf9 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -112,6 +112,8 @@ static CONF_PARSER module_config[] = {
           offsetof(EAP_TLS_CONF, include_length), NULL, "yes" },
         { "check_crl", PW_TYPE_BOOLEAN,
           offsetof(EAP_TLS_CONF, check_crl), NULL, "no"},
+       { "allow_expired_crl", PW_TYPE_BOOLEAN,
+         offsetof(EAP_TLS_CONF, allow_expired_crl), NULL, NULL},
         { "check_cert_cn", PW_TYPE_STRING_PTR,
           offsetof(EAP_TLS_CONF, check_cert_cn), NULL, NULL},
         { "cipher_list", PW_TYPE_STRING_PTR,
@@ -520,6 +522,16 @@ static int cbtls_verify(int ok, X509_STORE_CTX *ctx)
                         pairmake(cert_attr_names[EAPTLS_CN][lookup], common_name, T_OP_SET));
         }
  
+       /*
+        *      If the CRL has expired, that might still be OK.
+        */
+       if (!my_ok &&
+           (conf->allow_expired_crl) &&
+           (err == X509_V_ERR_CRL_HAS_EXPIRED)) {
+               my_ok = 1;
+               X509_STORE_CTX_set_error( ctx, 0 );
+       }
+
         if (!my_ok) {
                 const char *p = X509_verify_cert_error_string(err);
                 radlog(L_ERR,"--> verify error:num=%d:%s\n",err, p);
diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h

index 6be8542140bf8eb6bd0d2ea30a481ba0daf5308c..3a994aaa185e0a5d3472a85813c4fac210845003 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
@@ -56,6 +56,7 @@ typedef struct eap_tls_conf {
          */
         int             fragment_size;
         int             check_crl;
+       int             allow_expired_crl;
         char            *check_cert_cn;
         char            *cipher_list;
         char            *check_cert_issuer;
author	Alan T. DeKok <aland@freeradius.org>
	Wed, 8 Dec 2010 15:34:54 +0000 (16:34 +0100)
committer	Alan T. DeKok <aland@freeradius.org>
	Wed, 8 Dec 2010 15:37:14 +0000 (16:37 +0100)
src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c		patch \| blob \| blame \| history
src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h		patch \| blob \| blame \| history