From: William Lallemand <wlallemand@haproxy.org>
Date: Tue, 2 May 2023 16:26:46 +0000 (+0200)
Subject: MINOR: ssl: disable CRL checks with WolfSSL when no CRL file
X-Git-Tag: v2.8-dev10~75
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64a77e3ea5;p=thirdparty%2Fhaproxy.git

MINOR: ssl: disable CRL checks with WolfSSL when no CRL file

WolfSSL is enabling by default the CRL checks even if a CRL file wasn't
provided. This patch resets the default X509_STORE flags so this is
not checked by default.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e7f6d41b9b..a32ff413e6 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4569,6 +4569,7 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con
 	const char *conf_ciphersuites;
 #endif
 	const char *conf_curves = NULL;
+	X509_STORE *store = SSL_CTX_get_cert_store(ctx);
 
 	if (ssl_conf) {
 		struct tls_version_filter *conf_ssl_methods = &ssl_conf->ssl_methods;
@@ -4632,6 +4633,10 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con
 				/* set CA names for client cert request, function returns void */
 				SSL_CTX_set_client_CA_list(ctx, SSL_dup_CA_list(ssl_get_client_ca_file(ca_file)));
 			}
+#ifdef USE_OPENSSL_WOLFSSL
+			/* WolfSSL activates CRL checks by default so we need to disable it */
+			X509_STORE_set_flags(store, 0) ;
+#endif
 		}
 		else {
 			memprintf(err, "%sProxy '%s': verify is enabled but no CA file specified for bind '%s' at [%s:%d].\n",
@@ -4640,7 +4645,6 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con
 		}
 #ifdef X509_V_FLAG_CRL_CHECK
 		if (crl_file) {
-			X509_STORE *store = SSL_CTX_get_cert_store(ctx);
 
 			if (!ssl_set_cert_crl_file(store, crl_file)) {
 				memprintf(err, "%sProxy '%s': unable to configure CRL file '%s' for bind '%s' at [%s:%d].\n",