Commit a5300584be18c28b4248c5e2c2de1dc02a3e982a

Authored by Perry Werneck
1 parent 451f0c31

Adding "./configure" option to allow use of expired CRL.

configure.ac
... ... @@ -353,6 +353,19 @@ if test "$app_cv_self_signed_certs" == "yes"; then
353 353 AC_DEFINE(SSL_ALLOW_SELF_SIGNED_CERT)
354 354 fi
355 355  
  356 +AC_ARG_ENABLE([expired-crl],
  357 + [AS_HELP_STRING([--disable-expired-crl], [disable SSL connection when host presents an expired certificate revocation list])],
  358 +[
  359 + app_cv_expired_crl="$enableval"
  360 +],[
  361 + app_cv_expired_crl="no"
  362 +])
  363 +
  364 +if test "$app_cv_expired_crl" == "yes"; then
  365 + AC_DEFINE(SSL_ALLOW_EXPIRED_CRL)
  366 +fi
  367 +
  368 +
356 369 AC_ARG_ENABLE([ssl-crl-check],
357 370 [AS_HELP_STRING([--enable-ssl-crl-check], [Enable use of SSL Certificate Revocation List])],
358 371 [
... ...
src/include/config.h.in
... ... @@ -54,6 +54,7 @@
54 54 #undef HAVE_LDAP
55 55 #undef HAVE_LIBSSL
56 56 #undef SSL_ALLOW_SELF_SIGNED_CERT
  57 + #undef SSL_ALLOW_EXPIRED_CRL
57 58 #undef SSL_ENABLE_CRL_CHECK
58 59 #undef LIB3270_DEFAULT_CRL
59 60  
... ...
src/lib3270/ssl/negotiate.c
... ... @@ -194,10 +194,15 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
194 194  
195 195 case X509_V_ERR_CRL_HAS_EXPIRED:
196 196 trace_ssl(hSession,"%s","The CRL of a certificate has expired.\n" );
  197 +
  198 +#ifdef SSL_ALLOW_EXPIRED_CRL
  199 + break;
  200 +#else
197 201 ((SSL_ERROR_MESSAGE *) message)->title = _( "SSL error" );
198 202 ((SSL_ERROR_MESSAGE *) message)->text = _( "The CRL has expired." );
199 203 ((SSL_ERROR_MESSAGE *) message)->description = _( "The Certificate revocation list (CRL) has expired." );
200 204 return -1;
  205 +#endif // SSL_ALLOW_EXPIRED_CRL
201 206  
202 207 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
203 208  
... ...