software/slapos-master: allow disabling CRL check

7906b01c · Titouan Soulard · 31c5f124 · 7906b01c · 7906b01c · 7906b01c
Commit 7906b01c authored Jan 11, 2024 by Titouan Soulard
3 changed files
--- a/software/slapos-master/apache-backend.conf.in
+++ b/software/slapos-master/apache-backend.conf.in
@@ -163,13 +163,15 @@ Listen {{ ip }}:{{ port }}
 {%   endfor -%}
 <VirtualHost *:{{ port }}>
  SSLEngine on
-{% if enable_authentication and parameter_dict['shared-ca-cert'] and parameter_dict['shared-crl'] -%}
+{% if enable_authentication and parameter_dict['shared-ca-cert'] -%}
  SSLVerifyClient require
  # Custom block we use for now different parameters.
  RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
  SSLCACertificateFile {{ parameter_dict['shared-ca-cert'] }}
+{% if parameter_dict['shared-crl'] -%}
  SSLCARevocationCheck chain
  SSLCARevocationPath {{ parameter_dict['shared-crl'] }}
+{% endif -%}

  LogFormat "%h %l %{Remote-User}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" service


--- a/software/slapos-master/buildout.hash.cfg
+++ b/software/slapos-master/buildout.hash.cfg
@@ -18,11 +18,11 @@ md5sum = 15744bc9aa87585a64cb0050263e3142

 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = da8399562377b472c9488a337d0230dc
+md5sum = e5f505b65e15346c4ea9a8c73796c1f1

 [template-apache-backend-conf]
 filename = apache-backend.conf.in
-md5sum = 6cf13e8f5545d241e6514503f9824b02
+md5sum = 596309dd5d1a9e16f9fc95354bbfc515

 [template-haproxy-cfg]
 filename = haproxy.cfg.in

--- a/software/slapos-master/instance-balancer.cfg.in
+++ b/software/slapos-master/instance-balancer.cfg.in
@@ -4,6 +4,7 @@
 {% set ssl_parameter_dict = slapparameter_dict['ssl'] -%}
 {% set frontend_caucase_url_list = ssl_parameter_dict.get('frontend-caucase-url-list', []) -%}
 {% set shared_ca_path = slapparameter_dict.get('shared-certificate-authority-path') -%}
+{% set check_crl = slapparameter_dict.get('check-crl', True) -%}
 {#
 XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6
 per partition. No more (undefined result), no less (IndexError).
@@ -174,8 +175,10 @@ crl = ${apache-conf-ssl:crl}

 {% if shared_ca_path -%}
 shared-ca-cert = {{ shared_ca_path }}/cacert.pem
+{% if check_crl -%}
 shared-crl = {{ shared_ca_path }}/crl
 {%- endif %}
+{%- endif %}

 [apache-conf]
 < = jinja2-template-base