From 8f0d49f5b321a159839e9d910bd1feed6b51a5e3 Mon Sep 17 00:00:00 2001
From: John Wood <j@jdtw.us>
Date: Wed, 9 Feb 2022 10:07:55 -0800
Subject: [PATCH] Don't check OCSP if there are no OCSP servers in the chain
 (#255)

---
 lib/ocsp.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/ocsp.go b/lib/ocsp.go
index 09df6351..799a3dba 100644
--- a/lib/ocsp.go
+++ b/lib/ocsp.go
@@ -76,6 +76,15 @@ func checkOCSP(chain []*x509.Certificate, ocspStaple []byte) (status *ocsp.Respo
 		return nil, skippedRevocationCheck
 	}
 
+	// Skip if there are no OCSP servers in the chain.
+	numServers := 0
+	for _, cert := range chain[1:] {
+		numServers += len(cert.OCSPServer)
+	}
+	if numServers == 0 {
+		return nil, skippedRevocationCheck
+	}
+
 	retries := maxOCSPValidationRetries
 	if len(ocspStaple) > 0 {
 		// Don't retry if stapled