Fail on critical extensions in openssl CRLs

diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index b9d97a9018de0e7c8d88c8e448e9e15d17de091c..793899d33c47abe2b7d5a5f6073522f2578b41b0 100644 (file)
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -458,7 +458,12 @@ static bool parse_extensions(private_openssl_crl_t *this)
                                        ok = parse_crlNumber_ext(this, ext);
                                        break;
                                default:
-                                       ok = TRUE;
+                                       ok = X509_EXTENSION_get_critical(ext) != 0;
+                                       if (!ok)
+                                       {
+                                               DBG1(DBG_LIB, "found unsupported critical X.509 "
+                                                        "CRL extension");
+                                       }
                                        break;
                        }
                        if (!ok)