Make support for certificate status messages optional via policy

Don't postpone the verification of a server certificate if certificate status messages are not expected in client handshake. When using an external crypto device it may be necessary to verify the certificate before using the public key for verification of the signature in the server key exchange message.
author: Harry Reimann <[email protected]> 2017-11-29 08:35:27 +0100
committer: Harry Reimann <[email protected]> 2017-12-04 10:54:14 +0100
commit: 805bb27dff20e491e76142db2b5fe1bd586d4788 (patch)
tree: 64cc4c6ea4633a86509a8b18635c802ec3c3a8e8 /src/lib/tls/msg_client_hello.cpp
parent: b236a8aa0803bac4fba3c1de840379fb01f54ca1 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/src/lib/tls/msg_client_hello.cpp b/src/lib/tls/msg_client_hello.cpp
index 3b13cf21d..bcd8397e8 100644
--- a/src/lib/tls/msg_client_hello.cpp
+++ b/src/lib/tls/msg_client_hello.cpp
@@ -105,7 +105,8 @@ Client_Hello::Client_Hello(Handshake_IO& io,
    m_extensions.add(new Renegotiation_Extension(reneg_info));
    m_extensions.add(new Server_Name_Indicator(client_settings.hostname()));
 
-   m_extensions.add(new Certificate_Status_Request({}, {}));
+   if(policy.support_cert_status_message())
+      m_extensions.add(new Certificate_Status_Request({}, {}));
 
    if(reneg_info.empty() && !next_protocols.empty())
       m_extensions.add(new Application_Layer_Protocol_Notification(next_protocols));
author	Harry Reimann <[email protected]>	2017-11-29 08:35:27 +0100
committer	Harry Reimann <[email protected]>	2017-12-04 10:54:14 +0100
commit	805bb27dff20e491e76142db2b5fe1bd586d4788 (patch)
tree	64cc4c6ea4633a86509a8b18635c802ec3c3a8e8 /src/lib/tls/msg_client_hello.cpp
parent	b236a8aa0803bac4fba3c1de840379fb01f54ca1 (diff)