Commit 1228ae77 authored Aug 03, 2016 by Richard Levitte

Don't check any revocation info on proxy certificates



Because proxy certificates typically come without any CRL information,
trying to check revocation on them will fail.  Better not to try
checking such information for them at all.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 790555d6)

parent 436dead2

crypto/x509/x509_vfy.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -992,6 +992,8 @@ static int check_cert(X509_STORE_CTX *ctx)
		ctx->current_issuer = NULL;
		ctx->current_crl_score = 0;
		ctx->current_reasons = 0;
		if (x->ex_flags & EXFLAG_PROXY)
		return 1;
		while (ctx->current_reasons != CRLDP_ALL_REASONS) {
		last_reasons = ctx->current_reasons;
		/* Try to retrieve relevant CRL */