From 210f1edda60830fcde0963954e1643f8f92fbda9 Mon Sep 17 00:00:00 2001 From: venaas Date: Thu, 17 Jul 2008 17:17:47 +0000 Subject: added crlcheck config option, default off git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@305 e88ac4ed-0b26-0410-9574-a7f39faa03bf --- radsecproxy.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/radsecproxy.c b/radsecproxy.c index 91cafcf..7f1ab32 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -2747,7 +2747,7 @@ int tlslistener() { return 0; } -void tlsadd(char *value, char *cacertfile, char *cacertpath, char *certfile, char *certkeyfile, char *certkeypwd) { +void tlsadd(char *value, char *cacertfile, char *cacertpath, char *certfile, char *certkeyfile, char *certkeypwd, uint8_t crlcheck) { struct tls *new; SSL_CTX *ctx; STACK_OF(X509_NAME) *calist; @@ -2816,8 +2816,10 @@ void tlsadd(char *value, char *cacertfile, char *cacertpath, char *certfile, cha SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb); SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1); - x509_s = SSL_CTX_get_cert_store(ctx); - X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); + if (crlcheck) { + x509_s = SSL_CTX_get_cert_store(ctx); + X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); + } new = malloc(sizeof(struct tls)); if (!new || !list_push(tlsconfs, new)) @@ -3640,6 +3642,7 @@ int confrealm_cb(struct gconffile **cf, void *arg, char *block, char *opt, char int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val) { char *cacertfile = NULL, *cacertpath = NULL, *certfile = NULL, *certkeyfile = NULL, *certkeypwd = NULL; + uint8_t crlcheck = 0; debug(DBG_DBG, "conftls_cb called for %s", block); @@ -3649,11 +3652,12 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v "CertificateFile", CONF_STR, &certfile, "CertificateKeyFile", CONF_STR, &certkeyfile, "CertificateKeyPassword", CONF_STR, &certkeypwd, + "CRLCheck", CONF_BLN, &crlcheck, NULL )) debugx(1, DBG_ERR, "configuration error"); - tlsadd(val, cacertfile, cacertpath, certfile, certkeyfile, certkeypwd); + tlsadd(val, cacertfile, cacertpath, certfile, certkeyfile, certkeypwd, crlcheck); free(cacertfile); free(cacertpath); free(certfile); -- cgit v1.1