search for: x509_v_flag_crl_check_all

Displaying 3 results from an estimated 3 matches for "x509_v_flag_crl_check_all".

2006 Jun 01
1
ssl-proxy: client certificates and crl check
...SSL_VERIFY_CLIENT_ONCE, + SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_client_cert); } + /* HJHJ */ +#if OPENSSL_VERSION_NUMBER >= 0x00907000L + X509_STORE *store; + if( (store=SSL_CTX_get_cert_store(ssl_ctx)) != NULL ) + { X509_STORE_set_flags( store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); } + else + { i_warning("X509 get cert store failed..."); } +#endif + /* HJHJ */ + /* PRNG initialization might want to use /dev/urandom, make sure it does it before chrooting. We might not have enough entropy at the first try, so this function may fail. It's still been
2013 Apr 07
1
ssl_require_crl does not work as expected
...now what the proxy-stuff is about so instead of ignoring CRL-related errors I tried to disable CRL-checking. I therefore commented out two lines in ssl_proxy_ctx_verify_client() in ssl-proxy-openssl.c line 1004, namely: // X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | // X509_V_FLAG_CRL_CHECK_ALL); This tells OpenSSL not to check CRLs. Of course in production code this should be done only if "ssl_require_crl = no". Similar code is contained in iostream-openssl-context.c, namely in routine ssl_iostream_ctx_verify_remote_cert() Is this a bug? Peter
2015 Feb 11
2
[PATCH] Fix for client certificate validation does not work
...t(struct ssl_iostream_context *ctx, - STACK_OF(X509_NAME) *ca_names) +ssl_iostream_ctx_verify_remote_cert(struct ssl_iostream_context *ctx) { #if OPENSSL_VERSION_NUMBER >= 0x00907000L X509_STORE *store; @@ -274,8 +251,6 @@ X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); #endif - - SSL_CTX_set_client_CA_list(ctx->ssl_ctx, ca_names); } static struct ssl_iostream_settings * @@ -320,18 +295,17 @@ const char **error_r) { X509_STORE *store; - STACK_OF(X509_NAME) *xnames = NULL; const char *ca_file, *ca_dir; bool have_ca = FALSE; if (set-&gt...