From 6ac071a1319d4fa8ada0bd710d11b867bccff068 Mon Sep 17 00:00:00 2001
From: Karthik Gooli <karthik@foxpass.com>
Date: Fri, 28 Feb 2025 19:07:20 -0600
Subject: [PATCH] disable CRL checks when OCSP responder URL is available

---
 src/main/tls.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/main/tls.c b/src/main/tls.c
index c51906c23b03a..bb4a9064c997e 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -2708,6 +2708,12 @@ static ocsp_status_t ocsp_check(REQUEST *request, X509_STORE *store, X509 *issue
 
 	RDEBUG2("ocsp: Using responder URL \"http://%s:%s%s\"", host, port, path);
 
+	/* The underlying openssl library function: OCSP_response_get1_basic failure due to CRL checks fails the OCSP operation even though CRL checks are not needed in this flow. Disable CRL checks in this flow. */
+	/* ref: https://docs.openssl.org/3.4/man3/X509_STORE_get0_param/#synopsis */
+	X509_VERIFY_PARAM *param = X509_STORE_get0_param(store);
+        if (param != NULL) {
+		X509_VERIFY_PARAM_clear_flags(param, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+	}
 	/* Check host and port length are sane, then create Host: HTTP header */
 	if ((strlen(host) + strlen(port) + 2) > sizeof(hostheader)) {
 		RWDEBUG("(TLS) ocsp: Host and port too long");