From 831e643a24a614d53777c80c3c7287be90750984 Mon Sep 17 00:00:00 2001
From: John Safranek <jasaf@mac.com>
Date: Wed, 12 Dec 2012 10:14:38 -0800
Subject: [PATCH 1/2] fixed file name in comment

---
 cyassl/ocsp.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyassl/ocsp.h b/cyassl/ocsp.h
index 2cfd46e25..4a01cecb2 100644
--- a/cyassl/ocsp.h
+++ b/cyassl/ocsp.h
@@ -1,4 +1,4 @@
-/* ssl.h
+/* ocsp.h
  *
  * Copyright (C) 2006-2012 Sawtooth Consulting Ltd.
  *

From 359e86adf6abd7407dead8c4431267a36843138e Mon Sep 17 00:00:00 2001
From: John Safranek <jasaf@mac.com>
Date: Mon, 17 Dec 2012 22:19:20 -0800
Subject: [PATCH 2/2] 1. When OCSP and CRL enabled, checks CRL if unable to
 contact OCSP responder and OCSP was enabled. 2. Fixed a couple string typos.
 3. Only check OCSP if cert successfully parsed.

---
 src/internal.c | 35 ++++++++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 11 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 181b90d9c..e4089d761 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -2285,33 +2285,46 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
         else {
             CYASSL_MSG("Failed to verify Peer's cert");
             if (ssl->verifyCallback) {
-                CYASSL_MSG("\tCallback override availalbe, will continue");
+                CYASSL_MSG("\tCallback override available, will continue");
                 fatal = 0;
             }
             else {
-                CYASSL_MSG("\tNo callback override availalbe, fatal");
+                CYASSL_MSG("\tNo callback override available, fatal");
                 fatal = 1;
             }
         }
 
 #ifdef HAVE_OCSP
-        ret = CyaSSL_OCSP_Lookup_Cert(&ssl->ctx->ocsp, &dCert);
-        if (ret != 0) {
-            CYASSL_MSG("\tOCSP Lookup not ok");
-            fatal = 0;
+        if (fatal == 0) {
+            ret = CyaSSL_OCSP_Lookup_Cert(&ssl->ctx->ocsp, &dCert);
+            if (ret != 0) {
+                CYASSL_MSG("\tOCSP Lookup not ok");
+                fatal = 0;
+            }
         }
 #endif
 
 #ifdef HAVE_CRL
         if (fatal == 0 && ssl->ctx->cm->crlEnabled) {
-            CYASSL_MSG("Doing Leaf CRL check");
-            ret = CheckCertCRL(ssl->ctx->cm->crl, &dCert);
+            int doCrlLookup = 1;
 
-            if (ret != 0) {
-                CYASSL_MSG("\tCRL check not ok");
-                fatal = 0;
+            #ifdef HAVE_OCSP
+            if (ssl->ctx->ocsp.enabled) {
+                doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
+            }
+            #endif /* HAVE_OCSP */
+
+            if (doCrlLookup) {
+                CYASSL_MSG("Doing Leaf CRL check");
+                ret = CheckCertCRL(ssl->ctx->cm->crl, &dCert);
+    
+                if (ret != 0) {
+                    CYASSL_MSG("\tCRL check not ok");
+                    fatal = 0;
+                }
             }
         }
+
 #endif /* HAVE_CRL */
 
 #ifdef OPENSSL_EXTRA