From: Alan T. DeKok <aland@freeradius.org>
Date: Tue, 24 Nov 2015 18:01:52 +0000 (-0500)
Subject: If OCSP checks fail, don't run verify command
X-Git-Tag: release_3_0_11~144
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6162c64bfef1aefe5b96e583594a472cf33fb2a0;p=thirdparty%2Ffreeradius-server.git

If OCSP checks fail, don't run verify command

because the client will be rejected, so we don't want to run
extra resources
---

diff --git a/src/main/tls.c b/src/main/tls.c
index 33c2bd9bd8d..62066b5de0e 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -2070,7 +2070,12 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 		}
 #endif
 
-		while (conf->verify_client_cert_cmd) {
+		/*
+		 *	If OCSP checks fail, don't run the verify
+		 *	command.  The user will be rejected no matter
+		 *	what, so we might as well do less work.
+		 */
+		if (my_ok) while (conf->verify_client_cert_cmd) {
 			char filename[256];
 			int fd;
 			FILE *fp;