Set X509_V_FLAG_CRL_CHECK_ALL

author Alan T. DeKok <aland@freeradius.org>

Mon, 22 Jun 2015 19:27:10 +0000 (15:27 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Mon, 22 Jun 2015 19:27:10 +0000 (15:27 -0400)
author Alan T. DeKok <aland@freeradius.org>
Mon, 22 Jun 2015 19:27:10 +0000 (15:27 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Mon, 22 Jun 2015 19:27:10 +0000 (15:27 -0400)
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap

index 165971aff60493107876db1198e0e1421ba20255..10026ec7151f4c82e753631d24ebd51f16360d2c 100644 (file)
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -269,9 +269,13 @@ eap {
                 #  1) Copy CA certificates and CRLs to same directory.
                 #  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
                 #    'c_rehash' is OpenSSL's command.
-               #  3) uncomment the line below.
+               #  3) uncomment the lines below.
                 #  5) Restart radiusd
         #       check_crl = yes
+
+               # Check if intermediate CAs have been revoked.
+       #       check_all_crl = yes
+
                 ca_path = ${cadir}
  
                 #
diff --git a/src/include/tls-h b/src/include/tls-h

index 9fdc775fa064cb73235c803dfbd27913f72959bb..a41c6f5abfcfee7eb58dce912773d83f07b8c40e 100644 (file)
--- a/src/include/tls-h
+++ b/src/include/tls-h
@@ -347,6 +347,7 @@ struct fr_tls_server_conf_t {
          */
         uint32_t        fragment_size;
         bool            check_crl;
+       bool            check_all_crl;
         bool            allow_expired_crl;
         char const      *check_cert_cn;
         char const      *cipher_list;
diff --git a/src/main/tls.c b/src/main/tls.c

index 692651fa5999c96493e22aa3c71a1c8642f5eadd..9df48b4c445e94fe2cb9465191d1195ee7df4e19 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -999,6 +999,9 @@ static CONF_PARSER tls_server_config[] = {
         { "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, fragment_size), "1024" },
         { "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, include_length), "yes" },
         { "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_crl), "no" },
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
+       { "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_all_crl), "no" },
+#endif
         { "allow_expired_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, allow_expired_crl), NULL },
         { "check_cert_cn", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, check_cert_cn), NULL },
         { "cipher_list", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, cipher_list), NULL },
@@ -2103,6 +2106,10 @@ static X509_STORE *init_revocation_store(fr_tls_server_conf_t *conf)
  #ifdef X509_V_FLAG_CRL_CHECK
         if (conf->check_crl)
                 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
+#endif
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
+       if (conf->check_all_crl)
+               X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
  #endif
         return store;
  }
@@ -2591,6 +2598,11 @@ post_ca:
                         return NULL;
                 }
                 X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
+
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
+               if (conf->check_all_crl)
+                       X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK_ALL);
+#endif
         }
  #endif
author	Alan T. DeKok <aland@freeradius.org>
	Mon, 22 Jun 2015 19:27:10 +0000 (15:27 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Mon, 22 Jun 2015 19:27:10 +0000 (15:27 -0400)
raddb/mods-available/eap		patch \| blob \| blame \| history
src/include/tls-h		patch \| blob \| blame \| history
src/main/tls.c		patch \| blob \| blame \| history