From: Graham Leggett <minfrin@apache.org>
Date: Tue, 14 Jun 2016 16:34:14 +0000 (+0000)
Subject: mod_ssl: Don't enable CRL checks/flags by default.
X-Git-Tag: 2.4.21~18
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=abc50f6d6cff1a49dffb1491ac004eb25e7d680f;p=apache

mod_ssl: Don't enable CRL checks/flags by default.
(follow up/fix to r1748338 committed in 2.4.21)

Submitted by: ylavic
Reviewed by: icing, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1748442 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 2bcf45374e..43ca3728d6 100644
--- a/STATUS
+++ b/STATUS
@@ -114,11 +114,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   *) mod_ssl: Don't enable CRL checks/flags by default.
-               (follow up/fix to r1748338 committed in 2.4.21)
-     trunk patch: http://svn.apache.org/r1748368
-     2.4.x: trunk works
-     +1: ylavic, icing, minfrin
 
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 270c86cd40..9adca48acd 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -787,7 +787,12 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
     X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
     unsigned long crlflags = 0;
     char *cfgp = mctx->pkp ? "SSLProxy" : "SSL";
-    int crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS;
+    int crl_check_mode;
+
+    if (mctx->crl_check_mask == UNSET) {
+        mctx->crl_check_mask = SSL_CRLCHECK_NONE;
+    }
+    crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS;
 
     /*
      * Configure Certificate Revocation List (CRL) Details