From a5300584be18c28b4248c5e2c2de1dc02a3e982a Mon Sep 17 00:00:00 2001 From: Perry Werneck Date: Thu, 17 Jan 2019 13:28:40 -0200 Subject: [PATCH] Adding "./configure" option to allow use of expired CRL. --- configure.ac | 13 +++++++++++++ src/include/config.h.in | 1 + src/lib3270/ssl/negotiate.c | 5 +++++ 3 files changed, 19 insertions(+), 0 deletions(-) diff --git a/configure.ac b/configure.ac index 4868ffa..ffe4c1c 100644 --- a/configure.ac +++ b/configure.ac @@ -353,6 +353,19 @@ if test "$app_cv_self_signed_certs" == "yes"; then AC_DEFINE(SSL_ALLOW_SELF_SIGNED_CERT) fi +AC_ARG_ENABLE([expired-crl], + [AS_HELP_STRING([--disable-expired-crl], [disable SSL connection when host presents an expired certificate revocation list])], +[ + app_cv_expired_crl="$enableval" +],[ + app_cv_expired_crl="no" +]) + +if test "$app_cv_expired_crl" == "yes"; then + AC_DEFINE(SSL_ALLOW_EXPIRED_CRL) +fi + + AC_ARG_ENABLE([ssl-crl-check], [AS_HELP_STRING([--enable-ssl-crl-check], [Enable use of SSL Certificate Revocation List])], [ diff --git a/src/include/config.h.in b/src/include/config.h.in index caa2dbe..7ae17a0 100644 --- a/src/include/config.h.in +++ b/src/include/config.h.in @@ -54,6 +54,7 @@ #undef HAVE_LDAP #undef HAVE_LIBSSL #undef SSL_ALLOW_SELF_SIGNED_CERT + #undef SSL_ALLOW_EXPIRED_CRL #undef SSL_ENABLE_CRL_CHECK #undef LIB3270_DEFAULT_CRL diff --git a/src/lib3270/ssl/negotiate.c b/src/lib3270/ssl/negotiate.c index 5c09ade..94f365f 100644 --- a/src/lib3270/ssl/negotiate.c +++ b/src/lib3270/ssl/negotiate.c @@ -194,10 +194,15 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) case X509_V_ERR_CRL_HAS_EXPIRED: trace_ssl(hSession,"%s","The CRL of a certificate has expired.\n" ); + +#ifdef SSL_ALLOW_EXPIRED_CRL + break; +#else ((SSL_ERROR_MESSAGE *) message)->title = _( "SSL error" ); ((SSL_ERROR_MESSAGE *) message)->text = _( "The CRL has expired." ); ((SSL_ERROR_MESSAGE *) message)->description = _( "The Certificate revocation list (CRL) has expired." ); return -1; +#endif // SSL_ALLOW_EXPIRED_CRL case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: -- libgit2 0.21.2