From 4bab097ffc74c50f6d86a743ec316e15e4ca2557 Mon Sep 17 00:00:00 2001 From: Gerhard Rieger Date: Sat, 17 Jun 2023 08:44:02 +0200 Subject: [PATCH] Warning that Socat does not check CRLs --- CHANGES | 4 ++++ xio-openssl.c | 1 + 2 files changed, 5 insertions(+) diff --git a/CHANGES b/CHANGES index 65da1b3..b9b0a4f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@  +Security: + Socats OpenSSL addresses do not (and never did) check certificate + revocation lists (CRLs). Socat now prints a warning about this. + Features: Added the --experimental option that enables use of features that might change in the future. diff --git a/xio-openssl.c b/xio-openssl.c index 2215662..311d61b 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -1397,6 +1397,7 @@ cont_out: sycSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER| SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); + Warn("OpenSSL: Warning: this implementation does not check CRLs"); } else { sycSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE,