Use conf->ocsp_store, as it is always set.

[freeradius.git] / src / main / tls.c

diff --git a/src/main/tls.c b/src/main/tls.c
index 21c276e..c9ef184 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -1921,7 +1921,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 
        identity = (char **)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_IDENTITY);
 #ifdef HAVE_OPENSSL_OCSP_H
-       ocsp_store = (X509_STORE *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_STORE);
+       ocsp_store = conf->ocsp_store;
 #endif
 
        talloc_ctx = SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_TALLOC);
@@ -2195,7 +2195,8 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 #ifdef HAVE_OPENSSL_OCSP_H
                if (my_ok && conf->ocsp_enable){
                        RDEBUG2("Starting OCSP Request");
-                       if (X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert) != 1) {
+                       if ((X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert) != 1) ||
+                           !issuer_cert) {
                                RERROR("Couldn't get issuer_cert for %s", common_name);
                        } else {
                                my_ok = ocsp_check(request, ocsp_store, issuer_cert, client_cert, conf);