If OCSP checks fail, don't run verify command

because the client will be rejected, so we don't want to run
extra resources

diff --git a/src/main/tls.c b/src/main/tls.c
index 33c2bd9bd8dad6b2ef5fe0e5ca08aff4807df0a7..62066b5de0ee83a8a76cdcbc5e07a57346a847e0 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -2070,7 +2070,12 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
                }
 #endif
 
-               while (conf->verify_client_cert_cmd) {
+               /*
+                *      If OCSP checks fail, don't run the verify
+                *      command.  The user will be rejected no matter
+                *      what, so we might as well do less work.
+                */
+               if (my_ok) while (conf->verify_client_cert_cmd) {
                        char filename[256];
                        int fd;
                        FILE *fp;