From e6a1e0c23e7b8b78e739e1200c44ae151de7d6a1 Mon Sep 17 00:00:00 2001
From: Marco Fargetta <mfargett@redhat.com>
Date: Fri, 28 Jul 2023 10:56:56 +0200
Subject: [PATCH] Make crl check for connection optional

Add a new parameter to enable the crl check for OCSP connection when
acting as client. The new parameter is
`ocsp.store.ldapStore.checkSubsystemConnection` and its default value is
`false`. When set to `true` connection certificate are verified using
the crl stored in the LDAP.
---
 base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java b/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java
index 60d212ca6d2..2100de84355 100644
--- a/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java
+++ b/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java
@@ -81,6 +81,7 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo {
     private static final String DEF_CA_CERT_ATTR = "cACertificate;binary";
     private static final String PROP_HOST = "host";
     private static final String PROP_PORT = "port";
+    private static final String PROP_CHECK_SUBSYSTEM_CONNECTION = "checkSubsystemConnection";
 
     private final static String PROP_NOT_FOUND_GOOD = "notFoundAsGood";
     private final static String PROP_INCLUDE_NEXT_UPDATE =
@@ -237,7 +238,9 @@ public void startup() throws EBaseException {
 
             updater.start();
         }
-        CMS.setApprovalCallbask(new CRLLdapValidator(this));
+        if(mConfig.getBoolean(PROP_CHECK_SUBSYSTEM_CONNECTION, false)) {
+            CMS.setApprovalCallbask(new CRLLdapValidator(this));
+        }
     }
 
     @Override