Index: modules/ssl/mod_ssl.c =================================================================== --- modules/ssl/mod_ssl.c (revision 1674221) +++ modules/ssl/mod_ssl.c (working copy) @@ -157,6 +157,8 @@ "Set user name to SSL variable value") SSL_CMD_SRV(StrictSNIVHostCheck, FLAG, "Strict SNI virtual host checking") + SSL_CMD_ALL(DisableCRLCaching, FLAG, + "Disable ('on') or enable (default, 'off') CRL caching") #ifdef HAVE_SRP SSL_CMD_SRV(SRPVerifierFile, TAKE1, Index: modules/ssl/ssl_engine_config.c =================================================================== --- modules/ssl/ssl_engine_config.c (revision 1674221) +++ modules/ssl/ssl_engine_config.c (working copy) @@ -214,6 +214,7 @@ sc->session_cache_timeout = UNSET; sc->cipher_server_pref = UNSET; sc->insecure_reneg = UNSET; + sc->disable_crl_caching = UNSET; sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET; sc->proxy_ssl_check_peer_cn = SSL_ENABLED_UNSET; sc->proxy_ssl_check_peer_name = SSL_ENABLED_UNSET; @@ -357,6 +358,7 @@ cfgMergeInt(session_cache_timeout); cfgMergeBool(cipher_server_pref); cfgMergeBool(insecure_reneg); + cfgMergeBool(disable_crl_caching); cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET); cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET); cfgMerge(proxy_ssl_check_peer_name, SSL_ENABLED_UNSET); @@ -1372,6 +1374,15 @@ return ssl_cmd_protocol_parse(cmd, arg, &sc->server->protocol); } +const char *ssl_cmd_SSLDisableCRLCaching(cmd_parms *cmd, void *dcfg, int flag) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + sc->disable_crl_caching = flag ? TRUE : FALSE; + + return NULL; +} + const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); Index: modules/ssl/ssl_engine_kernel.c =================================================================== --- modules/ssl/ssl_engine_kernel.c (revision 1674221) +++ modules/ssl/ssl_engine_kernel.c (working copy) @@ -1375,6 +1375,35 @@ return modssl_get_dh_params(keylen); } +static void cleanup_crl_cache(X509_STORE_CTX *ctx) +{ + STACK_OF(X509_OBJECT) *st = ctx->ctx->objs; + X509_OBJECT *a; + int i; + + if (st == NULL) { + return; + } + + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); + + for (i = 0 ; i < st->stack.num; i++) { + a = (X509_OBJECT *) st->stack.data[i]; + if (a != NULL && a->type == X509_LU_CRL) { + X509_OBJECT_free_contents(a); + OPENSSL_free(a); + sk_X509_OBJECT_delete(st, i); + /* sk_X509_OBJECT_delete removes current 'i-th' object, + * i now points to next object and by incrementing it in the + * for cycle, we would skip one item. Decrease it to mitigiate + * it. */ + i--; + } + } + + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); +} + /* * This OpenSSL callback function is called when OpenSSL * does client authentication and verifies the certificate chain. @@ -1527,6 +1556,11 @@ ok = FALSE; } + if (sc->disable_crl_caching == TRUE + && (mctx->crl_file != NULL || mctx->crl_path != NULL)) { + cleanup_crl_cache(ctx); + } + /* * And finally signal OpenSSL the (perhaps changed) state */ Index: modules/ssl/ssl_private.h =================================================================== --- modules/ssl/ssl_private.h (revision 1674221) +++ modules/ssl/ssl_private.h (working copy) @@ -670,6 +670,7 @@ BOOL compression; #endif BOOL session_tickets; + BOOL disable_crl_caching; }; /** @@ -735,6 +736,7 @@ const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg); +const char *ssl_cmd_SSLDisableCRLCaching(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);