summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--radsecproxy.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/radsecproxy.c b/radsecproxy.c
index b57a987..4c52570 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -2532,7 +2532,7 @@ int tlslistener() {
return 0;
}
-void tlsadd(char *value, char *cacertfile, char *cacertpath, char *certfile, char *certkeyfile, char *certkeypwd) {
+void tlsadd(char *value, char *cacertfile, char *cacertpath, char *certfile, char *certkeyfile, char *certkeypwd, uint8_t crlcheck) {
struct tls *new;
SSL_CTX *ctx;
STACK_OF(X509_NAME) *calist;
@@ -2601,8 +2601,10 @@ void tlsadd(char *value, char *cacertfile, char *cacertpath, char *certfile, cha
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb);
SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1);
- x509_s = SSL_CTX_get_cert_store(ctx);
- X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+ if (crlcheck) {
+ x509_s = SSL_CTX_get_cert_store(ctx);
+ X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+ }
new = malloc(sizeof(struct tls));
if (!new || !list_push(tlsconfs, new))
@@ -3101,6 +3103,7 @@ void confrealm_cb(struct gconffile **cf, char *block, char *opt, char *val) {
void conftls_cb(struct gconffile **cf, char *block, char *opt, char *val) {
char *cacertfile = NULL, *cacertpath = NULL, *certfile = NULL, *certkeyfile = NULL, *certkeypwd = NULL;
+ uint8_t crlcheck = 0;
debug(DBG_DBG, "conftls_cb called for %s", block);
@@ -3110,10 +3113,11 @@ void conftls_cb(struct gconffile **cf, char *block, char *opt, char *val) {
"CertificateFile", CONF_STR, &certfile,
"CertificateKeyFile", CONF_STR, &certkeyfile,
"CertificateKeyPassword", CONF_STR, &certkeypwd,
+ "CRLCheck", CONF_BLN, &crlcheck,
NULL
);
- tlsadd(val, cacertfile, cacertpath, certfile, certkeyfile, certkeypwd);
+ tlsadd(val, cacertfile, cacertpath, certfile, certkeyfile, certkeypwd, crlcheck);
free(cacertfile);
free(cacertpath);
free(certfile);