From c88614354f80bec0e0e777338e170474f2242212 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Wed, 21 Sep 2016 09:46:25 -0400
Subject: [PATCH] make code match the comments and documentation

---
 src/main/tls.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/main/tls.c b/src/main/tls.c
index c9ef184..f5c5ec7 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -2214,9 +2214,12 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 		 *	If OCSP returns skipped (2), we run the verify command, unless
 		 *	conf->verify_skip_if_ocsp_ok is true.
 		 */
-		if ((my_ok != 0)
+		if ((my_ok != OCSP_STATUS_FAILED)
 #ifdef HAVE_OPENSSL_OCSP_H
-		    && conf->ocsp_enable && (my_ok != OCSP_STATUS_OK) && conf->verify_skip_if_ocsp_ok
+		    && conf->ocsp_enable &&
+		    (((my_ok == OCSP_STATUS_OK) && !conf->verify_skip_if_ocsp_ok) ||
+		     ((my_ok == OCSP_STATUS_SKIPPED) && conf->verify_skip_if_ocsp_ok))
+
 #endif
 			) while (conf->verify_client_cert_cmd) {
 			char filename[256];
-- 
2.1.4