Commit a5300584be18c28b4248c5e2c2de1dc02a3e982a
1 parent
451f0c31
Exists in
master
and in
3 other branches
Adding "./configure" option to allow use of expired CRL.
Showing
3 changed files
with
19 additions
and
0 deletions
Show diff stats
configure.ac
| @@ -353,6 +353,19 @@ if test "$app_cv_self_signed_certs" == "yes"; then | @@ -353,6 +353,19 @@ if test "$app_cv_self_signed_certs" == "yes"; then | ||
| 353 | AC_DEFINE(SSL_ALLOW_SELF_SIGNED_CERT) | 353 | AC_DEFINE(SSL_ALLOW_SELF_SIGNED_CERT) |
| 354 | fi | 354 | fi |
| 355 | 355 | ||
| 356 | +AC_ARG_ENABLE([expired-crl], | ||
| 357 | + [AS_HELP_STRING([--disable-expired-crl], [disable SSL connection when host presents an expired certificate revocation list])], | ||
| 358 | +[ | ||
| 359 | + app_cv_expired_crl="$enableval" | ||
| 360 | +],[ | ||
| 361 | + app_cv_expired_crl="no" | ||
| 362 | +]) | ||
| 363 | + | ||
| 364 | +if test "$app_cv_expired_crl" == "yes"; then | ||
| 365 | + AC_DEFINE(SSL_ALLOW_EXPIRED_CRL) | ||
| 366 | +fi | ||
| 367 | + | ||
| 368 | + | ||
| 356 | AC_ARG_ENABLE([ssl-crl-check], | 369 | AC_ARG_ENABLE([ssl-crl-check], |
| 357 | [AS_HELP_STRING([--enable-ssl-crl-check], [Enable use of SSL Certificate Revocation List])], | 370 | [AS_HELP_STRING([--enable-ssl-crl-check], [Enable use of SSL Certificate Revocation List])], |
| 358 | [ | 371 | [ |
src/include/config.h.in
| @@ -54,6 +54,7 @@ | @@ -54,6 +54,7 @@ | ||
| 54 | #undef HAVE_LDAP | 54 | #undef HAVE_LDAP |
| 55 | #undef HAVE_LIBSSL | 55 | #undef HAVE_LIBSSL |
| 56 | #undef SSL_ALLOW_SELF_SIGNED_CERT | 56 | #undef SSL_ALLOW_SELF_SIGNED_CERT |
| 57 | + #undef SSL_ALLOW_EXPIRED_CRL | ||
| 57 | #undef SSL_ENABLE_CRL_CHECK | 58 | #undef SSL_ENABLE_CRL_CHECK |
| 58 | #undef LIB3270_DEFAULT_CRL | 59 | #undef LIB3270_DEFAULT_CRL |
| 59 | 60 |
src/lib3270/ssl/negotiate.c
| @@ -194,10 +194,15 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | @@ -194,10 +194,15 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | ||
| 194 | 194 | ||
| 195 | case X509_V_ERR_CRL_HAS_EXPIRED: | 195 | case X509_V_ERR_CRL_HAS_EXPIRED: |
| 196 | trace_ssl(hSession,"%s","The CRL of a certificate has expired.\n" ); | 196 | trace_ssl(hSession,"%s","The CRL of a certificate has expired.\n" ); |
| 197 | + | ||
| 198 | +#ifdef SSL_ALLOW_EXPIRED_CRL | ||
| 199 | + break; | ||
| 200 | +#else | ||
| 197 | ((SSL_ERROR_MESSAGE *) message)->title = _( "SSL error" ); | 201 | ((SSL_ERROR_MESSAGE *) message)->title = _( "SSL error" ); |
| 198 | ((SSL_ERROR_MESSAGE *) message)->text = _( "The CRL has expired." ); | 202 | ((SSL_ERROR_MESSAGE *) message)->text = _( "The CRL has expired." ); |
| 199 | ((SSL_ERROR_MESSAGE *) message)->description = _( "The Certificate revocation list (CRL) has expired." ); | 203 | ((SSL_ERROR_MESSAGE *) message)->description = _( "The Certificate revocation list (CRL) has expired." ); |
| 200 | return -1; | 204 | return -1; |
| 205 | +#endif // SSL_ALLOW_EXPIRED_CRL | ||
| 201 | 206 | ||
| 202 | case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: | 207 | case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: |
| 203 | 208 |