2 files changed, 18 insertions, 1 deletions

diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index e8856b7d7..a78762c82 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -195,6 +195,9 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+axis2c_CFLAGS = @axis2c_CFLAGS@
+axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,6 +206,7 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+clearsilver_LIBS = @clearsilver_LIBS@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -219,11 +223,13 @@ host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
 htmldir = @htmldir@
+imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -267,6 +273,7 @@ sharedstatedir = @sharedstatedir@
 soup_CFLAGS = @soup_CFLAGS@
 soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
+starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index def169275..34f347d1a 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -404,7 +404,15 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 		{
 			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
 				 &revocation, TRUE, crl_reason_names, reason);
-			*valid = VALIDATION_REVOKED;
+			if (reason != CRL_REASON_CERTIFICATE_HOLD)
+			{
+				*valid = VALIDATION_REVOKED;
+			}
+			else
+			{
+				/* if the cert is on hold, a newer CRL might not contain it */
+				*valid = VALIDATION_ON_HOLD;
+			}
 			enumerator->destroy(enumerator);
 			DESTROY_IF(best);
 			return cand;
@@ -681,6 +689,7 @@ METHOD(cert_validator_t, validate, bool,
 				DBG1(DBG_CFG, "certificate status is good");
 				return TRUE;
 			case VALIDATION_REVOKED:
+			case VALIDATION_ON_HOLD:
 				/* has already been logged */
 				return FALSE;
 			case VALIDATION_SKIPPED:
@@ -700,6 +709,7 @@ METHOD(cert_validator_t, validate, bool,
 				DBG1(DBG_CFG, "certificate status is good");
 				return TRUE;
 			case VALIDATION_REVOKED:
+			case VALIDATION_ON_HOLD:
 				/* has already been logged */
 				return FALSE;
 			case VALIDATION_FAILED: