Don't check any revocation info on proxy certificates

Because proxy certificates typically come without any CRL information, trying to check revocation on them will fail. Better not to try checking such information for them at all. Reviewed-by: N Rich Salz <rsalz@openssl.org>

Don't check any revocation info on proxy certificates
Because proxy certificates typically come without any CRL information, trying to check revocation on them will fail. Better not to try checking such information for them at all. Reviewed-by: N Rich Salz <rsalz@openssl.org>
790555d6 · Richard Levitte · ea24fe29 · 790555d6
隐藏空白更改
内联并排

Showing with 3 addition and 0 deletion

crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c +3 -0

未找到文件。
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -844,6 +844,9 @@ static int check_cert(X509_STORE_CTX *ctx)
    ctx->current_crl_score = 0;
    ctx->current_reasons = 0;

+    if (x->ex_flags & EXFLAG_PROXY)
+        return 1;
+
    while (ctx->current_reasons != CRLDP_ALL_REASONS) {
        unsigned int last_reasons = ctx->current_reasons;