From 978edad8fbaebab8cac435ec7e2dbf330b5d1170 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Mon, 3 Oct 2016 12:38:35 +0300
Subject: [PATCH] lib-ssl-iostream: Allow skipping CRL check

---
 src/lib-ssl-iostream/iostream-openssl-context.c | 10 ++++++----
 src/lib-ssl-iostream/iostream-ssl.h             |  1 +
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index 60c3ba32ed..f39a51d5e2 100644
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -279,11 +279,13 @@ ssl_iostream_ctx_verify_remote_cert(struct ssl_iostream_context *ctx,
 				    STACK_OF(X509_NAME) *ca_names)
 {
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
-	X509_STORE *store;
+	if (!ctx->set->skip_crl_check) {
+		X509_STORE *store;
 
-	store = SSL_CTX_get_cert_store(ctx->ssl_ctx);
-	X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
-			     X509_V_FLAG_CRL_CHECK_ALL);
+		store = SSL_CTX_get_cert_store(ctx->ssl_ctx);
+		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
+				     X509_V_FLAG_CRL_CHECK_ALL);
+	}
 #endif
 
 	SSL_CTX_set_client_CA_list(ctx->ssl_ctx, ca_names);
diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h
index 6103559120..13260966bc 100644
--- a/src/lib-ssl-iostream/iostream-ssl.h
+++ b/src/lib-ssl-iostream/iostream-ssl.h
@@ -24,6 +24,7 @@ struct ssl_iostream_settings {
 	const char *crypto_device; /* context-only */
 
 	bool verbose, verbose_invalid_cert; /* stream-only */
+	bool skip_crl_check;
 	bool verify_remote_cert; /* neither/both */
 	bool allow_invalid_cert; /* stream-only */
 	bool prefer_server_ciphers;
-- 
2.47.3