From: Craig Huckabee Date: Sat, 10 Dec 2022 00:11:36 +0000 (-0500) Subject: Add ocspd verifycert boolean (#4800) X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd07b3b3c2702df1c8e909db8f15b02c4060b0e0;p=thirdparty%2Ffreeradius-server.git Add ocspd verifycert boolean (#4800) * Add verifycert boolean to disable OCSP server certificate validation * Fix typo Co-authored-by: Craig Huckabee --- diff --git a/src/modules/rlm_ocsp/conf.c b/src/modules/rlm_ocsp/conf.c index e531cb7d191..8b1dc8273a7 100644 --- a/src/modules/rlm_ocsp/conf.c +++ b/src/modules/rlm_ocsp/conf.c @@ -9,6 +9,7 @@ static CONF_PARSER ocsp_config[] = { { FR_CONF_OFFSET("use_nonce", FR_TYPE_BOOL, fr_tls_ocsp_conf_t, use_nonce), .dflt = "yes" }, { FR_CONF_OFFSET("timeout", FR_TYPE_UINT32, fr_tls_ocsp_conf_t, timeout), .dflt = "yes" }, { FR_CONF_OFFSET("softfail", FR_TYPE_BOOL, fr_tls_ocsp_conf_t, softfail), .dflt = "no" }, + { FR_CONF_OFFSET("verifycert", FR_TYPE_BOOL, fr_tls_ocsp_conf_t, verifycert), .dflt = "yes" }, CONF_PARSER_TERMINATOR }; diff --git a/src/modules/rlm_ocsp/ocsp.c b/src/modules/rlm_ocsp/ocsp.c index 63db754e174..b927a6da207 100644 --- a/src/modules/rlm_ocsp/ocsp.c +++ b/src/modules/rlm_ocsp/ocsp.c @@ -564,10 +564,13 @@ int fr_tls_ocsp_check(request_t *request, SSL *ssl, REDEBUG("Response has wrong nonce value"); goto finish; } - if (OCSP_basic_verify(bresp, NULL, store, 0) != 1){ - REDEBUG("Couldn't verify OCSP basic response"); - goto finish; - } + + if (conf->verifycert) { + if (OCSP_basic_verify(bresp, NULL, store, 0) != 1){ + REDEBUG("Couldn't verify OCSP basic response"); + goto finish; + } + } /* Verify OCSP cert status */ if (!OCSP_resp_find_status(bresp, certid, (int *)&status, &reason, &rev, &this_update, &next_update)) { diff --git a/src/modules/rlm_ocsp/ocsp.h b/src/modules/rlm_ocsp/ocsp.h index b69e16bb2fc..512535f36c4 100644 --- a/src/modules/rlm_ocsp/ocsp.h +++ b/src/modules/rlm_ocsp/ocsp.h @@ -11,6 +11,7 @@ typedef struct { X509_STORE *store; uint32_t timeout; bool softfail; + bool verifycert; fr_tls_cache_t cache; //!< Cached cache section pointers. Means we don't have