mod_ssl: Don't enable CRL checks/flags by default.

(follow up/fix to r1748338 committed in 2.4.21)

Submitted by: ylavic
Reviewed by: icing, minfrin

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1748442 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/STATUS b/STATUS
index 2bcf45374ee5978bb84b0486940628aced9b7e59..43ca3728d67100867bd903af1b7f31a928ec2615 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -114,11 +114,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   *) mod_ssl: Don't enable CRL checks/flags by default.
-               (follow up/fix to r1748338 committed in 2.4.21)
-     trunk patch: http://svn.apache.org/r1748368
-     2.4.x: trunk works
-     +1: ylavic, icing, minfrin
 
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 270c86cd4096af16088a04f438d9c9e7229567b1..9adca48acd4cf504311d0086d0e478cc38b3c5a1 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -787,7 +787,12 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
     X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
     unsigned long crlflags = 0;
     char *cfgp = mctx->pkp ? "SSLProxy" : "SSL";
-    int crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS;
+    int crl_check_mode;
+
+    if (mctx->crl_check_mask == UNSET) {
+        mctx->crl_check_mask = SSL_CRLCHECK_NONE;
+    }
+    crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS;
 
     /*
      * Configure Certificate Revocation List (CRL) Details