Don't check any revocation info on proxy certificates

Because proxy certificates typically come without any CRL information, trying to check revocation on them will fail. Better not to try checking such information for them at all. Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Richard Levitte <levitte@openssl.org> 2016-08-03 16:02:20 +0200
committer: Richard Levitte <levitte@openssl.org> 2016-08-03 16:05:28 +0200
commit: 790555d6756285b3ec18e3efbb195cf33f217d8f (patch)
tree: 2c58872b58d0a706b7a7fe02a3460e513ae8a973 /crypto/x509
parent: ea24fe29968299ee68c70467ef4dd2cbc53bbee9 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 099a4d81bb..28745741b2 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -844,6 +844,9 @@ static int check_cert(X509_STORE_CTX *ctx)
     ctx->current_crl_score = 0;
     ctx->current_reasons = 0;
 
+    if (x->ex_flags & EXFLAG_PROXY)
+        return 1;
+
     while (ctx->current_reasons != CRLDP_ALL_REASONS) {
         unsigned int last_reasons = ctx->current_reasons;
author	Richard Levitte <levitte@openssl.org>	2016-08-03 16:02:20 +0200
committer	Richard Levitte <levitte@openssl.org>	2016-08-03 16:05:28 +0200
commit	790555d6756285b3ec18e3efbb195cf33f217d8f (patch)
tree	2c58872b58d0a706b7a7fe02a3460e513ae8a973 /crypto/x509
parent	ea24fe29968299ee68c70467ef4dd2cbc53bbee9 (diff)