diff options
author | David Sommerseth <dazo@users.sourceforge.net> | 2010-05-16 19:42:40 +0200 |
---|---|---|
committer | David Sommerseth <dazo@users.sourceforge.net> | 2010-10-21 11:40:36 +0200 |
commit | 233105d2c9d1a2c6911342d8249b19310e94c251 (patch) | |
tree | 031046a0daa777874e9882c7ef4bc57fcff31471 | |
parent | Avoid repetition of "this config may cache passwords in memory" (v2) (diff) | |
download | openvpn-233105d2c9d1a2c6911342d8249b19310e94c251.tar.xz |
OCSP_check.sh: new check logic
contrib/OCSP_check/OCSP_check.sh:
I discovered that, quite surprisingly, the exit status of "openssl ocsp"
is 0 even if the certificate status is "revoked". This means that the
logic of the script needs to be rewritten so that it parses the output
returned by the query and explicitly looks for a
"0x<serial number>: good"
line, and exit if either the command has a non-zero exit status, or the
above line is not found.
Doing that portably without bashisms requires some juggling around, so
perhaps the code is slightly less clean now, but it does have many
comments.
Signed-off-by: Davide Brini <dave_br@gmx.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
-rw-r--r-- | contrib/OCSP_check/OCSP_check.sh | 42 |
1 files changed, 32 insertions, 10 deletions
diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh index 2ffe5d6..847be45 100644 --- a/contrib/OCSP_check/OCSP_check.sh +++ b/contrib/OCSP_check/OCSP_check.sh @@ -63,27 +63,49 @@ fi # begin if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then + eval serial="\$tls_serial_${cur_depth}" - # Check that the serial is not empty + # To successfully complete, the following must happen: + # + # - The serial number must not be empty + # - The exit status of "openssl ocsp" must be zero + # - The output of the above command must contain the line + # "0x${serial}: good" + # + # Everything else fails with exit status 1. + if [ -n "$serial" ]; then # This is only an example; you are encouraged to run this command (without # redirections) manually against your or your CA's OCSP server to see how # it responds, and adapt accordingly. - # Sample output: + # Sample output that is assumed here: # # Response verify OK # 0x428740A5: good # This Update: Apr 24 19:38:49 2010 GMT # Next Update: May 2 14:23:42 2010 GMT - - openssl ocsp -issuer "$issuer" \ - "$nonce" \ - -CAfile "$verify" \ - -url "$ocsp_url" \ - -serial "0x${serial}" >/dev/null 2>&1 - else - exit 1 + # + # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL + # can in some circumstances give a "good" result if it could not + # reach the the OSCP server. In this case, the exit code will indicate + # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0, + # don't trust the OpenSSL status. + + status=$(openssl ocsp -issuer "$issuer" \ + "$nonce" \ + -CAfile "$verify" \ + -url "$ocsp_url" \ + -serial "0x${serial}" 2>/dev/null) + + if [ $? -eq 0 ]; then + # check that it's good + if echo "$status" | grep -Fq "0x${serial}: good"; then + exit 0 + fi + fi fi + # if we get here, something was wrong + exit 1 fi |