diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -137,6 +137,8 @@ /* End-of-Line */ static const char ENDL[2] = "\r\n"; +/* SSL global options for callback use */ +static int ssl_crl_optional; /*** Error-reporting functions ***********************************************/ @@ -1108,6 +1110,11 @@ X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); } + if (getenv("SSL_CRL_OPTIONAL") != NULL) { + if (verbose) + fetch_info("Using CRL optional: yes"); + ssl_crl_optional = 1; + } } return (1); } @@ -1160,6 +1167,28 @@ char *str; str = NULL; + + /* + * CLRs may be defined explicitly but not always. The absence of a + * CRL distribution point is no indication that a CRL does not exist + * which also means the CRL check being enforced will require to have + * proper CRLs in place for the certificates to be checked which can + * not be guaranteed for a random hostname on the Internet. This will + * disable the specific OpenSSL error that deals with this case given + * the best effort on the user side to supply a full batch of relevant + * CRLs that are required to verify the certificate validity. + */ + if (ssl_crl_optional && !verified && + X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL) { + if ((crt = X509_STORE_CTX_get_current_cert(ctx)) != NULL && + (name = X509_get_subject_name(crt)) != NULL) + str = X509_NAME_oneline(name, 0, 0); + fetch_info("No CRL was provided for %s", str); + OPENSSL_free(str); + + verified = 1; + } + if (!verified) { if ((crt = X509_STORE_CTX_get_current_cert(ctx)) != NULL && (name = X509_get_subject_name(crt)) != NULL) @@ -1168,6 +1197,7 @@ str != NULL ? str : "no relevant certificate"); OPENSSL_free(str); } + return (verified); } diff --git a/lib/libfetch/fetch.3 b/lib/libfetch/fetch.3 --- a/lib/libfetch/fetch.3 +++ b/lib/libfetch/fetch.3 @@ -426,6 +426,11 @@ to look for the CRL in the configured trust store file or path (see .Xr crl 1 ) . +CRL presence can be made optional by setting the environment +variable +.Ev SSL_CRL_OPTIONAL +and a message will be printed for an absent CRL without causing +a verification failure. .Pp Peer verification can be disabled by setting the environment variable .Ev SSL_NO_VERIFY_PEER .