From 668f8700a4e8de967a1faa8cdcf9d2dbdfbad703 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 7 Oct 2021 15:30:16 -0700
Subject: [PATCH] Fix to not try OCSP or CRL checks if there is already an
 error. This fix prevents an error code from being overwritten if there is
 already a failure. ZD13032

---
 src/internal.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index 0a68d6407..a7a36ff82 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -12346,7 +12346,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
         {
             if (args->count > 0) {
             #if defined(HAVE_OCSP) || defined(HAVE_CRL)
-                if (args->fatal == 0) {
+                /* only attempt to check OCSP or CRL if not previous error such 
+                 * as ASN_BEFORE_DATE_E or ASN_AFTER_DATE_E */
+                if (args->fatal == 0 && ret == 0) {
                     int doLookup = 1;
 
                     if (ssl->options.side == WOLFSSL_CLIENT_END) {