1 files changed, 8 insertions, 4 deletions

diff --git a/radsecproxy.c b/radsecproxy.c
index 91cafcf..7f1ab32 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -2747,7 +2747,7 @@ int tlslistener() {
     return 0;
 }
 
-void tlsadd(char *value, char *cacertfile, char *cacertpath, char *certfile, char *certkeyfile, char *certkeypwd) {
+void tlsadd(char *value, char *cacertfile, char *cacertpath, char *certfile, char *certkeyfile, char *certkeypwd, uint8_t crlcheck) {
     struct tls *new;
     SSL_CTX *ctx;
     STACK_OF(X509_NAME) *calist;
@@ -2816,8 +2816,10 @@ void tlsadd(char *value, char *cacertfile, char *cacertpath, char *certfile, cha
     SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb);
     SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1);
 
-    x509_s = SSL_CTX_get_cert_store(ctx);
-    X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+    if (crlcheck) {
+	x509_s = SSL_CTX_get_cert_store(ctx);
+	X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+    }
 
     new = malloc(sizeof(struct tls));
     if (!new || !list_push(tlsconfs, new))
@@ -3640,6 +3642,7 @@ int confrealm_cb(struct gconffile **cf, void *arg, char *block, char *opt, char
 
 int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val) {
     char *cacertfile = NULL, *cacertpath = NULL, *certfile = NULL, *certkeyfile = NULL, *certkeypwd = NULL;
+    uint8_t crlcheck = 0;
     
     debug(DBG_DBG, "conftls_cb called for %s", block);
     
@@ -3649,11 +3652,12 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v
 		     "CertificateFile", CONF_STR, &certfile,
 		     "CertificateKeyFile", CONF_STR, &certkeyfile,
 		     "CertificateKeyPassword", CONF_STR, &certkeypwd,
+		     "CRLCheck", CONF_BLN, &crlcheck,
 		     NULL
 			  ))
 	debugx(1, DBG_ERR, "configuration error");
     
-    tlsadd(val, cacertfile, cacertpath, certfile, certkeyfile, certkeypwd);
+    tlsadd(val, cacertfile, cacertpath, certfile, certkeyfile, certkeypwd, crlcheck);
     free(cacertfile);
     free(cacertpath);
     free(certfile);