Fix to not try OCSP or CRL checks if there is already an error. This fix prevents an error code from being overwritten if there is already a failure. ZD13032

2021-10-07 15:30:16 -07:00 · 2021-10-07 15:30:16 -07:00 · 668f8700a4
commit 668f8700a4
parent 725e503c57
1 changed files with 3 additions and 1 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -12346,7 +12346,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
        {
            if (args->count > 0) {
            #if defined(HAVE_OCSP) || defined(HAVE_CRL)
-                if (args->fatal == 0) {
+                /* only attempt to check OCSP or CRL if not previous error such 
+                 * as ASN_BEFORE_DATE_E or ASN_AFTER_DATE_E */
+                if (args->fatal == 0 && ret == 0) {
                    int doLookup = 1;

                    if (ssl->options.side == WOLFSSL_CLIENT_END) {