Don't check any revocation info on proxy certificates

Because proxy certificates typically come without any CRL information,
trying to check revocation on them will fail.  Better not to try
checking such information for them at all.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 790555d6756285b3ec18e3efbb195cf33f217d8f)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index ade5985db5e320b8574fb36d4b4fd9ca0ca7ac6d..8334b3fcff7fb2a92fba494c38ef598b08c2f8a6 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -992,6 +992,8 @@ static int check_cert(X509_STORE_CTX *ctx)
     ctx->current_issuer = NULL;
     ctx->current_crl_score = 0;
     ctx->current_reasons = 0;
+    if (x->ex_flags & EXFLAG_PROXY)
+        return 1;
     while (ctx->current_reasons != CRLDP_ALL_REASONS) {
         last_reasons = ctx->current_reasons;
         /* Try to retrieve relevant CRL */