From 790555d6756285b3ec18e3efbb195cf33f217d8f Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Wed, 3 Aug 2016 16:02:20 +0200
Subject: [PATCH] Don't check any revocation info on proxy certificates

Because proxy certificates typically come without any CRL information,
trying to check revocation on them will fail.  Better not to try
checking such information for them at all.

Reviewed-by: Rich Salz <rsalz@openssl.org>
---
 crypto/x509/x509_vfy.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 099a4d81bb..28745741b2 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -844,6 +844,9 @@ static int check_cert(X509_STORE_CTX *ctx)
     ctx->current_crl_score = 0;
     ctx->current_reasons = 0;
 
+    if (x->ex_flags & EXFLAG_PROXY)
+        return 1;
+
     while (ctx->current_reasons != CRLDP_ALL_REASONS) {
         unsigned int last_reasons = ctx->current_reasons;
 
-- 
2.34.1