mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2026-01-07 17:52:10 +01:00
80 lines
2.8 KiB
Diff
80 lines
2.8 KiB
Diff
From 874b39451702338389260edbfc52b381b20352ec Mon Sep 17 00:00:00 2001
|
|
From: "Alan T. DeKok" <aland@freeradius.org>
|
|
Date: Mon, 22 Jun 2015 15:27:10 -0400
|
|
Subject: [PATCH] Set X509_V_FLAG_CRL_CHECK_ALL
|
|
|
|
---
|
|
raddb/mods-available/eap | 6 +++++-
|
|
src/include/tls-h | 1 +
|
|
src/main/tls.c | 12 ++++++++++++
|
|
3 files changed, 18 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
|
|
index 165971a..10026ec 100644
|
|
--- a/raddb/mods-available/eap
|
|
+++ b/raddb/mods-available/eap
|
|
@@ -269,9 +269,13 @@ eap {
|
|
# 1) Copy CA certificates and CRLs to same directory.
|
|
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
|
|
# 'c_rehash' is OpenSSL's command.
|
|
- # 3) uncomment the line below.
|
|
+ # 3) uncomment the lines below.
|
|
# 5) Restart radiusd
|
|
# check_crl = yes
|
|
+
|
|
+ # Check if intermediate CAs have been revoked.
|
|
+ # check_all_crl = yes
|
|
+
|
|
ca_path = ${cadir}
|
|
|
|
#
|
|
diff --git a/src/include/tls-h b/src/include/tls-h
|
|
index 9fdc775..a41c6f5 100644
|
|
--- a/src/include/tls-h
|
|
+++ b/src/include/tls-h
|
|
@@ -347,6 +347,7 @@ struct fr_tls_server_conf_t {
|
|
*/
|
|
uint32_t fragment_size;
|
|
bool check_crl;
|
|
+ bool check_all_crl;
|
|
bool allow_expired_crl;
|
|
char const *check_cert_cn;
|
|
char const *cipher_list;
|
|
diff --git a/src/main/tls.c b/src/main/tls.c
|
|
index 692651f..9df48b4 100644
|
|
--- a/src/main/tls.c
|
|
+++ b/src/main/tls.c
|
|
@@ -999,6 +999,9 @@ static CONF_PARSER tls_server_config[] = {
|
|
{ "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, fragment_size), "1024" },
|
|
{ "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, include_length), "yes" },
|
|
{ "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_crl), "no" },
|
|
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
|
|
+ { "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_all_crl), "no" },
|
|
+#endif
|
|
{ "allow_expired_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, allow_expired_crl), NULL },
|
|
{ "check_cert_cn", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, check_cert_cn), NULL },
|
|
{ "cipher_list", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, cipher_list), NULL },
|
|
@@ -2104,6 +2107,10 @@ static X509_STORE *init_revocation_store(fr_tls_server_conf_t *conf)
|
|
if (conf->check_crl)
|
|
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
|
|
#endif
|
|
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
|
|
+ if (conf->check_all_crl)
|
|
+ X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
|
|
+#endif
|
|
return store;
|
|
}
|
|
#endif /* HAVE_OPENSSL_OCSP_H */
|
|
@@ -2591,6 +2598,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client)
|
|
return NULL;
|
|
}
|
|
X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
|
|
+
|
|
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
|
|
+ if (conf->check_all_crl)
|
|
+ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK_ALL);
|
|
+#endif
|
|
}
|
|
#endif
|
|
|