From: Alan T. DeKok Date: Wed, 8 Dec 2010 15:34:54 +0000 (+0100) Subject: Undocumented command to allow expired CRLs X-Git-Tag: release_2_1_11~193 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=70a701e3d5bdadcfe790fe79d48b115586c923c4;p=thirdparty%2Ffreeradius-server.git Undocumented command to allow expired CRLs --- diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c index 067388af595..09bf6264bdd 100644 --- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c +++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c @@ -112,6 +112,8 @@ static CONF_PARSER module_config[] = { offsetof(EAP_TLS_CONF, include_length), NULL, "yes" }, { "check_crl", PW_TYPE_BOOLEAN, offsetof(EAP_TLS_CONF, check_crl), NULL, "no"}, + { "allow_expired_crl", PW_TYPE_BOOLEAN, + offsetof(EAP_TLS_CONF, allow_expired_crl), NULL, NULL}, { "check_cert_cn", PW_TYPE_STRING_PTR, offsetof(EAP_TLS_CONF, check_cert_cn), NULL, NULL}, { "cipher_list", PW_TYPE_STRING_PTR, @@ -520,6 +522,16 @@ static int cbtls_verify(int ok, X509_STORE_CTX *ctx) pairmake(cert_attr_names[EAPTLS_CN][lookup], common_name, T_OP_SET)); } + /* + * If the CRL has expired, that might still be OK. + */ + if (!my_ok && + (conf->allow_expired_crl) && + (err == X509_V_ERR_CRL_HAS_EXPIRED)) { + my_ok = 1; + X509_STORE_CTX_set_error( ctx, 0 ); + } + if (!my_ok) { const char *p = X509_verify_cert_error_string(err); radlog(L_ERR,"--> verify error:num=%d:%s\n",err, p); diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h index 6be8542140b..3a994aaa185 100644 --- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h +++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h @@ -56,6 +56,7 @@ typedef struct eap_tls_conf { */ int fragment_size; int check_crl; + int allow_expired_crl; char *check_cert_cn; char *cipher_list; char *check_cert_issuer;