diff options
author | Richard Levitte <levitte@openssl.org> | 2016-08-03 16:02:20 +0200 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2016-08-03 16:05:28 +0200 |
commit | 790555d6756285b3ec18e3efbb195cf33f217d8f (patch) | |
tree | 2c58872b58d0a706b7a7fe02a3460e513ae8a973 | |
parent | ea24fe29968299ee68c70467ef4dd2cbc53bbee9 (diff) | |
download | openssl-790555d6756285b3ec18e3efbb195cf33f217d8f.tar.gz |
Don't check any revocation info on proxy certificates
Because proxy certificates typically come without any CRL information,
trying to check revocation on them will fail. Better not to try
checking such information for them at all.
Reviewed-by: Rich Salz <rsalz@openssl.org>
-rw-r--r-- | crypto/x509/x509_vfy.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 099a4d81bb..28745741b2 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -844,6 +844,9 @@ static int check_cert(X509_STORE_CTX *ctx) ctx->current_crl_score = 0; ctx->current_reasons = 0; + if (x->ex_flags & EXFLAG_PROXY) + return 1; + while (ctx->current_reasons != CRLDP_ALL_REASONS) { unsigned int last_reasons = ctx->current_reasons; |