Make crl check for connection optional

Add a new parameter to enable the crl check for OCSP connection when acting as client. The new parameter is `ocsp.store.ldapStore.checkSubsystemConnection` and its default value is `false`. When set to `true` connection certificate are verified using the crl stored in the LDAP.
dogtagpki · Jul 28, 2023 · e6a1e0c · e6a1e0c
1 parent 57df77e
commit e6a1e0c
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java b/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java
@@ -81,6 +81,7 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo {
     private static final String DEF_CA_CERT_ATTR = "cACertificate;binary";
     private static final String PROP_HOST = "host";
     private static final String PROP_PORT = "port";
+    private static final String PROP_CHECK_SUBSYSTEM_CONNECTION = "checkSubsystemConnection";
 
     private final static String PROP_NOT_FOUND_GOOD = "notFoundAsGood";
     private final static String PROP_INCLUDE_NEXT_UPDATE =
@@ -237,7 +238,9 @@ public void startup() throws EBaseException {
 
             updater.start();
         }
-        CMS.setApprovalCallbask(new CRLLdapValidator(this));
+        if(mConfig.getBoolean(PROP_CHECK_SUBSYSTEM_CONNECTION, false)) {
+            CMS.setApprovalCallbask(new CRLLdapValidator(this));
+        }
     }
 
     @Override