mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-10 17:17:06 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: disable CRL checks with WolfSSL when no CRL file

Browse Source 
WolfSSL is enabling by default the CRL checks even if a CRL file wasn't
provided. This patch resets the default X509_STORE flags so this is
not checked by default.
This commit is contained in:
William Lallemand 2023-05-02 18:26:46 +02:00
parent a2fee7f28b
commit 64a77e3ea5
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/ssl_sock.c
View File

@ -4569,6 +4569,7 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con
const char *conf_ciphersuites; const char *conf_ciphersuites;
#endif #endif
const char *conf_curves = NULL; const char *conf_curves = NULL;
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
if (ssl_conf) { if (ssl_conf) {
struct tls_version_filter *conf_ssl_methods = &ssl_conf->ssl_methods; struct tls_version_filter *conf_ssl_methods = &ssl_conf->ssl_methods;
@ -4632,6 +4633,10 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con
/* set CA names for client cert request, function returns void */ /* set CA names for client cert request, function returns void */
SSL_CTX_set_client_CA_list(ctx, SSL_dup_CA_list(ssl_get_client_ca_file(ca_file))); SSL_CTX_set_client_CA_list(ctx, SSL_dup_CA_list(ssl_get_client_ca_file(ca_file)));
} }
#ifdef USE_OPENSSL_WOLFSSL
/* WolfSSL activates CRL checks by default so we need to disable it */
X509_STORE_set_flags(store, 0) ;
#endif
} }
else { else {
memprintf(err, "%sProxy '%s': verify is enabled but no CA file specified for bind '%s' at [%s:%d].\n", memprintf(err, "%sProxy '%s': verify is enabled but no CA file specified for bind '%s' at [%s:%d].\n",
@ -4640,7 +4645,6 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con
} }
#ifdef X509_V_FLAG_CRL_CHECK #ifdef X509_V_FLAG_CRL_CHECK
if (crl_file) { if (crl_file) {
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
if (!ssl_set_cert_crl_file(store, crl_file)) { if (!ssl_set_cert_crl_file(store, crl_file)) {
memprintf(err, "%sProxy '%s': unable to configure CRL file '%s' for bind '%s' at [%s:%d].\n", memprintf(err, "%sProxy '%s': unable to configure CRL file '%s' for bind '%s' at [%s:%d].\n",