[openssl-commits] [openssl] master update

Richard Levitte levitte at openssl.org
Wed Aug 3 14:12:26 UTC 2016


The branch master has been updated
       via  790555d6756285b3ec18e3efbb195cf33f217d8f (commit)
      from  ea24fe29968299ee68c70467ef4dd2cbc53bbee9 (commit)


- Log -----------------------------------------------------------------
commit 790555d6756285b3ec18e3efbb195cf33f217d8f
Author: Richard Levitte <levitte at openssl.org>
Date:   Wed Aug 3 16:02:20 2016 +0200

    Don't check any revocation info on proxy certificates
    
    Because proxy certificates typically come without any CRL information,
    trying to check revocation on them will fail.  Better not to try
    checking such information for them at all.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/x509_vfy.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 099a4d8..2874574 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -844,6 +844,9 @@ static int check_cert(X509_STORE_CTX *ctx)
     ctx->current_crl_score = 0;
     ctx->current_reasons = 0;
 
+    if (x->ex_flags & EXFLAG_PROXY)
+        return 1;
+
     while (ctx->current_reasons != CRLDP_ALL_REASONS) {
         unsigned int last_reasons = ctx->current_reasons;
 


More information about the openssl-commits mailing list