MINOR: ssl: disable server side default CRL check with WolfSSL

Patch 64a77e3ea5 disabled CRL check when no CRL file was provided, but it only did it on bind side. Add the same fix in server context initialization side. This allows to enable peer verification (verify required) on a server using TLS, without having to provide a CRL file.
2025-11-28 06:11:32 +01:00 · 2024-10-08 13:32:49 +00:00 · 2024-10-08 13:32:49 +00:00 · ba7c03c18e
commit ba7c03c18e
parent 456c3997b2
1 changed files with 5 additions and 2 deletions
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -4432,6 +4432,7 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
 #if defined(SSL_CTX_set1_curves_list)
 	const char *conf_curves = NULL;
 #endif
+	X509_STORE *store = SSL_CTX_get_cert_store(ctx);

 	if (conf_ssl_methods->flags && (conf_ssl_methods->min || conf_ssl_methods->max))
 		ha_warning("no-sslv3/no-tlsv1x are ignored for this server. "
@ -4520,6 +4521,10 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
 					 srv->ssl_ctx.ca_file);
 				cfgerr++;
 			}
+#ifdef USE_OPENSSL_WOLFSSL
+			/* WolfSSL activates CRL checks by default so we need to disable it */
+			X509_STORE_set_flags(store, 0) ;
+#endif
 		}
 		else {
 			if (global.ssl_server_verify == SSL_SERVER_VERIFY_REQUIRED)
@ -4530,8 +4535,6 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
 		}
 #ifdef X509_V_FLAG_CRL_CHECK
 		if (srv->ssl_ctx.crl_file) {
-			X509_STORE *store = SSL_CTX_get_cert_store(ctx);
-
 			if (!ssl_set_cert_crl_file(store, srv->ssl_ctx.crl_file)) {
 				ha_alert("unable to configure CRL file '%s'.\n",
 					 srv->ssl_ctx.crl_file);