Don't check any revocation info on proxy certificates
authorRichard Levitte <levitte@openssl.org>
Wed, 3 Aug 2016 14:02:20 +0000 (16:02 +0200)
committerRichard Levitte <levitte@openssl.org>
Wed, 3 Aug 2016 14:15:05 +0000 (16:15 +0200)
Because proxy certificates typically come without any CRL information,
trying to check revocation on them will fail.  Better not to try
checking such information for them at all.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 790555d6756285b3ec18e3efbb195cf33f217d8f)

crypto/x509/x509_vfy.c

index ade5985..8334b3f 100644 (file)
@@ -992,6 +992,8 @@ static int check_cert(X509_STORE_CTX *ctx)
     ctx->current_issuer = NULL;
     ctx->current_crl_score = 0;
     ctx->current_reasons = 0;
+    if (x->ex_flags & EXFLAG_PROXY)
+        return 1;
     while (ctx->current_reasons != CRLDP_ALL_REASONS) {
         last_reasons = ctx->current_reasons;
         /* Try to retrieve relevant CRL */