The branch master has been updated
via 790555d6756285b3ec18e3efbb195cf33f217d8f (commit)
from ea24fe29968299ee68c70467ef4dd2cbc53bbee9 (commit)
- Log -----------------------------------------------------------------
commit 790555d6756285b3ec18e3efbb195cf33f217d8f
Author: Richard Levitte <[email protected]>
Date: Wed Aug 3 16:02:20 2016 +0200
Don't check any revocation info on proxy certificates
Because proxy certificates typically come without any CRL information,
trying to check revocation on them will fail. Better not to try
checking such information for them at all.
Reviewed-by: Rich Salz <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/x509_vfy.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 099a4d8..2874574 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -844,6 +844,9 @@ static int check_cert(X509_STORE_CTX *ctx)
ctx->current_crl_score = 0;
ctx->current_reasons = 0;
+ if (x->ex_flags & EXFLAG_PROXY)
+ return 1;
+
while (ctx->current_reasons != CRLDP_ALL_REASONS) {
unsigned int last_reasons = ctx->current_reasons;
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
