From: Yann Ylavic <ylavic@apache.org>
Date: Tue, 14 Jun 2016 09:35:13 +0000 (+0000)
Subject: mod_ssl: follow up to r1734561.
X-Git-Tag: 2.5.0-alpha~1506
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=039212b23e0ad8ac1553a75e0b0878e7b2fef900;p=thirdparty%2Fapache%2Fhttpd.git

mod_ssl: follow up to r1734561.
Don't enable CRL checks/flags by default.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1748368 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 53d12168dc5..bd7d4beb6c1 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -891,7 +891,12 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
     X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
     unsigned long crlflags = 0;
     char *cfgp = mctx->pkp ? "SSLProxy" : "SSL";
-    int crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS;
+    int crl_check_mode;
+
+    if (mctx->crl_check_mask == UNSET) {
+        mctx->crl_check_mask = SSL_CRLCHECK_NONE;
+    }
+    crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS;
 
     /*
      * Configure Certificate Revocation List (CRL) Details