lib-ssl-iostream: Allow skipping CRL check

dovecot · Oct 31, 2017 · 978edad · 978edad
1 parent 0577701
commit 978edad
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -279,11 +279,13 @@ ssl_iostream_ctx_verify_remote_cert(struct ssl_iostream_context *ctx,
 				    STACK_OF(X509_NAME) *ca_names)
 {
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
-	X509_STORE *store;
+	if (!ctx->set->skip_crl_check) {
+		X509_STORE *store;
 
-	store = SSL_CTX_get_cert_store(ctx->ssl_ctx);
-	X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
-			     X509_V_FLAG_CRL_CHECK_ALL);
+		store = SSL_CTX_get_cert_store(ctx->ssl_ctx);
+		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
+				     X509_V_FLAG_CRL_CHECK_ALL);
+	}
 #endif
 
 	SSL_CTX_set_client_CA_list(ctx->ssl_ctx, ca_names);

diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h
@@ -24,6 +24,7 @@ struct ssl_iostream_settings {
 	const char *crypto_device; /* context-only */
 
 	bool verbose, verbose_invalid_cert; /* stream-only */
+	bool skip_crl_check;
 	bool verify_remote_cert; /* neither/both */
 	bool allow_invalid_cert; /* stream-only */
 	bool prefer_server_ciphers;