revocation: More accurately describe the flags to disable OCSP/CRL validation
These options disable validation as such, e.g. even from cached CRLs, not only the fetching. Also made the plugin's validate() implementation a no-op if both options are disabled.
This commit is contained in:
parent
067fd2c69c
commit
2de9bb30fe
|
@ -1,7 +1,7 @@
|
|||
charon.plugins.revocation.enable_ocsp = yes
|
||||
Whether OCSP fetching should be enabled.
|
||||
Whether OCSP validation should be enabled.
|
||||
|
||||
charon.plugins.revocation.enable_crl = yes
|
||||
Whether CRL fetching should be enabled.
|
||||
Whether CRL validation should be enabled.
|
||||
|
||||
|
||||
|
|
|
@ -38,12 +38,12 @@ struct private_revocation_validator_t {
|
|||
revocation_validator_t public;
|
||||
|
||||
/**
|
||||
* Enable OCSP fetching
|
||||
* Enable OCSP validation
|
||||
*/
|
||||
bool enable_ocsp;
|
||||
|
||||
/**
|
||||
* Enable CRL fetching
|
||||
* Enable CRL validation
|
||||
*/
|
||||
bool enable_crl;
|
||||
|
||||
|
@ -743,9 +743,9 @@ METHOD(cert_validator_t, validate, bool,
|
|||
certificate_t *issuer, bool online, u_int pathlen, bool anchor,
|
||||
auth_cfg_t *auth)
|
||||
{
|
||||
if (subject->get_type(subject) == CERT_X509 &&
|
||||
issuer->get_type(issuer) == CERT_X509 &&
|
||||
online)
|
||||
if (online && (this->enable_ocsp || this->enable_crl) &&
|
||||
subject->get_type(subject) == CERT_X509 &&
|
||||
issuer->get_type(issuer) == CERT_X509)
|
||||
{
|
||||
DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
|
||||
subject->get_subject(subject));
|
||||
|
@ -832,12 +832,11 @@ revocation_validator_t *revocation_validator_create()
|
|||
|
||||
if (!this->enable_ocsp)
|
||||
{
|
||||
DBG1(DBG_LIB, "all OCSP fetching disabled");
|
||||
DBG1(DBG_LIB, "all OCSP validation disabled");
|
||||
}
|
||||
if (!this->enable_crl)
|
||||
{
|
||||
DBG1(DBG_LIB, "all CRL fetching disabled");
|
||||
DBG1(DBG_LIB, "all CRL validation disabled");
|
||||
}
|
||||
|
||||
return &this->public;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue