Add option to be able to disable nonce in OCSP request

[freeradius.git] / src / main / tls.c

diff --git a/src/main/tls.c b/src/main/tls.c
index f33841d..c975758 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -779,6 +779,8 @@ static CONF_PARSER ocsp_config[] = {
          offsetof(fr_tls_server_conf_t, ocsp_override_url), NULL, "no"},
        { "url", PW_TYPE_STRING_PTR,
          offsetof(fr_tls_server_conf_t, ocsp_url), NULL, NULL },
+       { "use_nonce", PW_TYPE_BOOLEAN,
+         offsetof(fr_tls_server_conf_t, ocsp_use_nonce), NULL, "yes"},
        { NULL, -1, 0, NULL, NULL }           /* end the list */
 };
 #endif
@@ -1074,7 +1076,9 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
        certid = OCSP_cert_to_id(NULL, client_cert, issuer_cert);
        req = OCSP_REQUEST_new();
        OCSP_request_add0_id(req, certid);
-       OCSP_request_add1_nonce(req, NULL, 8);
+       if(conf->ocsp_use_nonce) {
+               OCSP_request_add1_nonce(req, NULL, 8);
+       }
 
        /*
         * Send OCSP Request and get OCSP Response
@@ -1113,7 +1117,7 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
                goto ocsp_end;
        }
        bresp = OCSP_response_get1_basic(resp);
-       if(OCSP_check_nonce(req, bresp)!=1) {
+       if(conf->ocsp_use_nonce && OCSP_check_nonce(req, bresp)!=1) {
                radlog(L_ERR, "Error: OCSP response has wrong nonce value");
                goto ocsp_end;
        }