]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 456c399)
MINOR: ssl: disable server side default CRL check with WolfSSL
authorDamien Claisse <d.claisse@criteo.com>
Tue, 8 Oct 2024 13:32:49 +0000 (13:32 +0000)
committerWilliam Lallemand <wlallemand@haproxy.com>
Thu, 10 Oct 2024 07:31:19 +0000 (09:31 +0200)
Patch 64a77e3ea5 disabled CRL check when no CRL file was provided, but
it only did it on bind side. Add the same fix in server context
initialization side.
This allows to enable peer verification (verify required) on a server
using TLS, without having to provide a CRL file.

src/ssl_sock.c patch | blob | blame | history

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index ca59958c10a029f2c2d02521659c9159265866b3..54550f00deb2d69524f7e5a2cd6fbe71463420ca 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4432,6 +4432,7 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
 #if defined(SSL_CTX_set1_curves_list)
        const char *conf_curves = NULL;
 #endif
+       X509_STORE *store = SSL_CTX_get_cert_store(ctx);
 
        if (conf_ssl_methods->flags && (conf_ssl_methods->min || conf_ssl_methods->max))
                ha_warning("no-sslv3/no-tlsv1x are ignored for this server. "
@@ -4520,6 +4521,10 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
                                         srv->ssl_ctx.ca_file);
                                cfgerr++;
                        }
+#ifdef USE_OPENSSL_WOLFSSL
+                       /* WolfSSL activates CRL checks by default so we need to disable it */
+                       X509_STORE_set_flags(store, 0) ;
+#endif
                }
                else {
                        if (global.ssl_server_verify == SSL_SERVER_VERIFY_REQUIRED)
@@ -4530,8 +4535,6 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
                }
 #ifdef X509_V_FLAG_CRL_CHECK
                if (srv->ssl_ctx.crl_file) {
-                       X509_STORE *store = SSL_CTX_get_cert_store(ctx);
-
                        if (!ssl_set_cert_crl_file(store, srv->ssl_ctx.crl_file)) {
                                ha_alert("unable to configure CRL file '%s'.\n",
                                         srv->ssl_ctx.crl_file);
Mirror of https://github.com/haproxy/haproxy.git