WIP - trying to fix #3460

Signed-off-by: Luke Kanies <luke@puppetlabs.com>

Conflicts:

	lib/puppet/ssl/host.rb

2 files changed, 2 insertions, 1 deletions

diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb
index 9fe67cc8a..111b72009 100644
--- a/lib/puppet/ssl/certificate_authority.rb
+++ b/lib/puppet/ssl/certificate_authority.rb
@@ -284,7 +284,7 @@ class Puppet::SSL::CertificateAuthority
         store.add_file Puppet[:cacert]
         store.add_crl crl.content if self.crl
         store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
-        store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
+        store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation]
 
         unless store.verify(cert.content)
             raise CertificateVerificationError.new(store.error), store.error_string
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index 281a2b612..958408359 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -214,6 +214,7 @@ class Puppet::SSL::Host
             # If there's a CRL, add it to our store.
             if crl = Puppet::SSL::CertificateRevocationList.find(CA_NAME)
                 @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
+                @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation]
                 @ssl_store.add_crl(crl.content)
             end
             return @ssl_store