aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/tls')
-rw-r--r--src/lib/tls/tls_callbacks.cpp3
-rw-r--r--src/lib/tls/tls_policy.cpp5
-rw-r--r--src/lib/tls/tls_policy.h7
3 files changed, 14 insertions, 1 deletions
diff --git a/src/lib/tls/tls_callbacks.cpp b/src/lib/tls/tls_callbacks.cpp
index 7afb3f17f..f25f392b3 100644
--- a/src/lib/tls/tls_callbacks.cpp
+++ b/src/lib/tls/tls_callbacks.cpp
@@ -36,7 +36,8 @@ void TLS::Callbacks::tls_verify_cert_chain(
if(cert_chain.empty())
throw Invalid_Argument("Certificate chain was empty");
- Path_Validation_Restrictions restrictions(true, policy.minimum_signature_strength());
+ Path_Validation_Restrictions restrictions(policy.require_cert_revocation_info(),
+ policy.minimum_signature_strength());
Path_Validation_Result result =
x509_path_validate(cert_chain,
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index e9caa8bb3..84ba5e4bf 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -161,6 +161,11 @@ size_t Policy::minimum_signature_strength() const
return 110;
}
+bool Policy::require_cert_revocation_info() const
+ {
+ return true;
+ }
+
size_t Policy::minimum_rsa_bits() const
{
/* Default assumption is all end-entity certificates should
diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h
index f992949fe..b577eb265 100644
--- a/src/lib/tls/tls_policy.h
+++ b/src/lib/tls/tls_policy.h
@@ -66,6 +66,13 @@ class BOTAN_DLL Policy
*/
virtual size_t minimum_signature_strength() const;
+ /**
+ * Return if cert revocation info (CRL/OCSP) is required
+ * If true, validation will fail unless a valid CRL or OCSP response
+ * was examined.
+ */
+ virtual bool require_cert_revocation_info() const;
+
bool allowed_signature_method(const std::string& sig_method) const;
/**