From 64a77e3ea54210462765ec7988eeb66ae59842ac Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Tue, 2 May 2023 18:26:46 +0200 Subject: [PATCH] MINOR: ssl: disable CRL checks with WolfSSL when no CRL file WolfSSL is enabling by default the CRL checks even if a CRL file wasn't provided. This patch resets the default X509_STORE flags so this is not checked by default. --- src/ssl_sock.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index e7f6d41b9b..a32ff413e6 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4569,6 +4569,7 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con const char *conf_ciphersuites; #endif const char *conf_curves = NULL; + X509_STORE *store = SSL_CTX_get_cert_store(ctx); if (ssl_conf) { struct tls_version_filter *conf_ssl_methods = &ssl_conf->ssl_methods; @@ -4632,6 +4633,10 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con /* set CA names for client cert request, function returns void */ SSL_CTX_set_client_CA_list(ctx, SSL_dup_CA_list(ssl_get_client_ca_file(ca_file))); } +#ifdef USE_OPENSSL_WOLFSSL + /* WolfSSL activates CRL checks by default so we need to disable it */ + X509_STORE_set_flags(store, 0) ; +#endif } else { memprintf(err, "%sProxy '%s': verify is enabled but no CA file specified for bind '%s' at [%s:%d].\n", @@ -4640,7 +4645,6 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con } #ifdef X509_V_FLAG_CRL_CHECK if (crl_file) { - X509_STORE *store = SSL_CTX_get_cert_store(ctx); if (!ssl_set_cert_crl_file(store, crl_file)) { memprintf(err, "%sProxy '%s': unable to configure CRL file '%s' for bind '%s' at [%s:%d].\n", -- 2.39.5