From 493c142e582ff5ef1b5fdfcb9653715ef43e83e9 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 21 Feb 2017 09:37:07 +0100
Subject: dirmngr: New Assuan option "http-crl".

* dirmngr/dirmngr.h (server_control_s): New flag 'http_no_crl'.
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set this flag.
* dirmngr/server.c (option_handler): New option "http-crl"
* dirmngr/http.h (HTTP_FLAG_NO_CRL): New flag.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Consult this flag.
* dirmngr/ks-engine-hkp.c (send_request): Set flag depending on CTRL.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.

* dirmngr/t-http.c (main): New option --no-crl.
--

This new option can be used to enable CRL checks on a per session
base.  The default is not to use CRLs for https connections.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 dirmngr/ks-engine-http.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'dirmngr/ks-engine-http.c')

diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index 9352a0f18..d4a6c8a63 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -76,7 +76,9 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
  once_more:
   /* Note that we only use the system provided certificates with the
    * fetch command.  */
-  err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_SYS,
+  err = http_session_new (&session, NULL,
+                          ((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
+                           | HTTP_FLAG_TRUST_SYS),
                           gnupg_http_tls_verify_cb, ctrl);
   if (err)
     goto leave;
-- 
cgit v1.2.3