Set X509_V_FLAG_CRL_CHECK_ALL

raddb/eap.conf

@@ -232,9 +232,13 @@
 			#  1) Copy CA certificates and CRLs to same directory.
 			#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
 			#    'c_rehash' is OpenSSL's command.
-			#  3) uncomment the line below.
+			#  3) uncomment the lines below.
 			#  5) Restart radiusd
 		#	check_crl = yes
+
+			# Check if intermediate CAs have been revoked.
+		#	check_all_crl = yes
+
 			CA_path = ${cadir}
 
 		       #

src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c

@@ -120,6 +120,8 @@ static CONF_PARSER module_config[] = {
 	  offsetof(EAP_TLS_CONF, include_length), NULL, "yes" },
 	{ "check_crl", PW_TYPE_BOOLEAN,
 	  offsetof(EAP_TLS_CONF, check_crl), NULL, "no"},
+	{ "check_all_crl", PW_TYPE_BOOLEAN,
+	  offsetof(EAP_TLS_CONF, check_all_crl), NULL, "no"},
 	{ "allow_expired_crl", PW_TYPE_BOOLEAN,
 	  offsetof(EAP_TLS_CONF, allow_expired_crl), NULL, NULL},
 	{ "check_cert_cn", PW_TYPE_STRING_PTR,
@@ -975,6 +977,10 @@ static X509_STORE *init_revocation_store(EAP_TLS_CONF *conf)
 #ifdef X509_V_FLAG_CRL_CHECK
 	if (conf->check_crl)
 		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
+#endif
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
+	if (conf->check_all_crl)
+		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
 #endif
 	return store;
 }
@@ -1240,6 +1246,10 @@ static SSL_CTX *init_tls_ctx(EAP_TLS_CONF *conf)
 	    return NULL;
 	  }
 	  X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
+
+	  if (conf->check_all_crl) {
+		  X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK_ALL);
+	  }
 	}
 #endif
 

src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h

@@ -59,6 +59,7 @@ typedef struct eap_tls_conf {
 	 */
 	int		fragment_size;
 	int		check_crl;
+	int		check_all_crl;
 	int		allow_expired_crl;
 	char		*check_cert_cn;
 	char		*cipher_list;