Commit 790555d6 authored by Richard Levitte's avatar Richard Levitte
Browse files

Don't check any revocation info on proxy certificates 



Because proxy certificates typically come without any CRL information,
trying to check revocation on them will fail.  Better not to try
checking such information for them at all.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent ea24fe29

crypto/x509/x509_vfy.c

+3 −0
Original line number Original line Diff line number Diff line
@@ -844,6 +844,9 @@ static int check_cert(X509_STORE_CTX *ctx) 
    ctx->current_crl_score = 0;

    ctx->current_crl_score = 0;

    ctx->current_reasons = 0;

    ctx->current_reasons = 0;





    if (x->ex_flags & EXFLAG_PROXY)

        return 1;



    while (ctx->current_reasons != CRLDP_ALL_REASONS) {

    while (ctx->current_reasons != CRLDP_ALL_REASONS) {

        unsigned int last_reasons = ctx->current_reasons;

        unsigned int last_reasons = ctx->current_reasons;