From 3e49fc120165229fe52bcfc193424c83e3460dae Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Sun, 26 Oct 2014 09:57:48 -0400
Subject: [PATCH] Do OCSP checks only if we got issuer_cert.  Closes #756

---
 src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
index 180fcac..86d7306 100644
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -847,10 +847,11 @@ static int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 #ifdef HAVE_OPENSSL_OCSP_H
 		if (my_ok && conf->ocsp_enable){
 			RDEBUG2("--> Starting OCSP Request");
-			if(X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert)!=1) {
+			if (X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert) != 1) {
 				radlog(L_ERR, "Error: Couldn't get issuer_cert for %s", common_name);
+			} else {
+				my_ok = ocsp_check(ocsp_store, issuer_cert, client_cert, conf);
 			}
-			my_ok = ocsp_check(ocsp_store, issuer_cert, client_cert, conf);
 		}
 #endif
 
-- 
2.1.4