From: Richard Levitte <levitte@openssl.org>
Date: Wed, 3 Aug 2016 14:02:20 +0000 (+0200)
Subject: Don't check any revocation info on proxy certificates
X-Git-Tag: OpenSSL_1_0_2i~94
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=1228ae7738e1ad2189a04ab4ca2dc5a317d1a29c;p=oweals%2Fopenssl.git

Don't check any revocation info on proxy certificates

Because proxy certificates typically come without any CRL information,
trying to check revocation on them will fail.  Better not to try
checking such information for them at all.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 790555d6756285b3ec18e3efbb195cf33f217d8f)
---

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index ade5985db5..8334b3fcff 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -992,6 +992,8 @@ static int check_cert(X509_STORE_CTX *ctx)
     ctx->current_issuer = NULL;
     ctx->current_crl_score = 0;
     ctx->current_reasons = 0;
+    if (x->ex_flags & EXFLAG_PROXY)
+        return 1;
     while (ctx->current_reasons != CRLDP_ALL_REASONS) {
         last_reasons = ctx->current_reasons;
         /* Try to retrieve relevant CRL */