Adding "./configure" option to allow use of expired CRL.

Perry Werneck
1 parent 451f0c31
Showing 3 changed files with 19 additions and 0 deletions Show diff stats
configure.ac
src/include/config.h.in
src/lib3270/ssl/negotiate.c
@@ -353,6 +353,19 @@ if test &quot;$app_cv_self_signed_certs&quot; == &quot;yes&quot;; then
 	AC_DEFINE(SSL_ALLOW_SELF_SIGNED_CERT)
 fi
  
+AC_ARG_ENABLE([expired-crl],
+	[AS_HELP_STRING([--disable-expired-crl], [disable SSL connection when host presents an expired certificate revocation list])],
+[
+	app_cv_expired_crl="$enableval"
+],[
+	app_cv_expired_crl="no"
+])
+
+if test "$app_cv_expired_crl" == "yes"; then
+	AC_DEFINE(SSL_ALLOW_EXPIRED_CRL)
+fi
+
+
 AC_ARG_ENABLE([ssl-crl-check],
 	[AS_HELP_STRING([--enable-ssl-crl-check], [Enable use of SSL Certificate Revocation List])],
 [
@@ -54,6 +54,7 @@
 	#undef HAVE_LDAP
 	#undef HAVE_LIBSSL
 	#undef SSL_ALLOW_SELF_SIGNED_CERT
+	#undef SSL_ALLOW_EXPIRED_CRL
 	#undef SSL_ENABLE_CRL_CHECK
 	#undef LIB3270_DEFAULT_CRL
  
@@ -194,10 +194,15 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
  
 	case X509_V_ERR_CRL_HAS_EXPIRED:
 		trace_ssl(hSession,"%s","The CRL of a certificate has expired.\n" );
+
+#ifdef SSL_ALLOW_EXPIRED_CRL
+		break;
+#else
 		((SSL_ERROR_MESSAGE *) message)->title = _( "SSL error" );
 		((SSL_ERROR_MESSAGE *) message)->text = _( "The CRL has expired." );
 		((SSL_ERROR_MESSAGE *) message)->description = _( "The Certificate revocation list (CRL) has expired." );
 		return -1;
+#endif // SSL_ALLOW_EXPIRED_CRL
  
 	case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
...	...	@@ -353,6 +353,19 @@ if test "$app_cv_self_signed_certs" == "yes"; then
353	353	AC_DEFINE(SSL_ALLOW_SELF_SIGNED_CERT)
354	354	fi
355	355
	356	+AC_ARG_ENABLE([expired-crl],
	357	+ [AS_HELP_STRING([--disable-expired-crl], [disable SSL connection when host presents an expired certificate revocation list])],
	358	+[
	359	+ app_cv_expired_crl="$enableval"
	360	+],[
	361	+ app_cv_expired_crl="no"
	362	+])
	363	+
	364	+if test "$app_cv_expired_crl" == "yes"; then
	365	+ AC_DEFINE(SSL_ALLOW_EXPIRED_CRL)
	366	+fi
	367	+
	368	+
356	369	AC_ARG_ENABLE([ssl-crl-check],
357	370	[AS_HELP_STRING([--enable-ssl-crl-check], [Enable use of SSL Certificate Revocation List])],
358	371	[
...	...
...	...	@@ -54,6 +54,7 @@
54	54	#undef HAVE_LDAP
55	55	#undef HAVE_LIBSSL
56	56	#undef SSL_ALLOW_SELF_SIGNED_CERT
	57	+ #undef SSL_ALLOW_EXPIRED_CRL
57	58	#undef SSL_ENABLE_CRL_CHECK
58	59	#undef LIB3270_DEFAULT_CRL
59	60
...	...
...	...	@@ -194,10 +194,15 @@ static int background_ssl_negotiation(H3270 hSession, void message)
194	194
195	195	case X509_V_ERR_CRL_HAS_EXPIRED:
196	196	trace_ssl(hSession,"%s","The CRL of a certificate has expired.\n" );
	197	+
	198	+#ifdef SSL_ALLOW_EXPIRED_CRL
	199	+ break;
	200	+#else
197	201	((SSL_ERROR_MESSAGE *) message)->title = _( "SSL error" );
198	202	((SSL_ERROR_MESSAGE *) message)->text = _( "The CRL has expired." );
199	203	((SSL_ERROR_MESSAGE *) message)->description = _( "The Certificate revocation list (CRL) has expired." );
200	204	return -1;
	205	+#endif // SSL_ALLOW_EXPIRED_CRL
201	206
202	207	case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
203	208
...	...