Displaying 3 results from an estimated 3 matches for "x509_v_flag_crl_check_all".
2006 Jun 01
1
ssl-proxy: client certificates and crl check
...SSL_VERIFY_CLIENT_ONCE,
+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
ssl_verify_client_cert);
}
+ /* HJHJ */
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+ X509_STORE *store;
+ if( (store=SSL_CTX_get_cert_store(ssl_ctx)) != NULL )
+ { X509_STORE_set_flags( store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); }
+ else
+ { i_warning("X509 get cert store failed..."); }
+#endif
+ /* HJHJ */
+
/* PRNG initialization might want to use /dev/urandom, make sure it
does it before chrooting. We might not have enough entropy at
the first try, so this function may fail. It's still been
2013 Apr 07
1
ssl_require_crl does not work as expected
...now what the proxy-stuff is about so instead of ignoring CRL-related
errors I tried to disable CRL-checking. I therefore commented out two lines
in
ssl_proxy_ctx_verify_client() in ssl-proxy-openssl.c line 1004, namely:
// X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
// X509_V_FLAG_CRL_CHECK_ALL);
This tells OpenSSL not to check CRLs. Of course in production code this
should be done only if "ssl_require_crl = no".
Similar code is contained in iostream-openssl-context.c,
namely in routine ssl_iostream_ctx_verify_remote_cert()
Is this a bug?
Peter
2015 Feb 11
2
[PATCH] Fix for client certificate validation does not work
...t(struct ssl_iostream_context *ctx,
- STACK_OF(X509_NAME) *ca_names)
+ssl_iostream_ctx_verify_remote_cert(struct ssl_iostream_context *ctx)
{
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
X509_STORE *store;
@@ -274,8 +251,6 @@
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
#endif
-
- SSL_CTX_set_client_CA_list(ctx->ssl_ctx, ca_names);
}
static struct ssl_iostream_settings *
@@ -320,18 +295,17 @@
const char **error_r)
{
X509_STORE *store;
- STACK_OF(X509_NAME) *xnames = NULL;
const char *ca_file, *ca_dir;
bool have_ca = FALSE;
if (set->...