aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Sommerseth <dazo@users.sourceforge.net>2010-05-16 19:42:40 +0200
committerDavid Sommerseth <dazo@users.sourceforge.net>2010-10-21 11:40:36 +0200
commit233105d2c9d1a2c6911342d8249b19310e94c251 (patch)
tree031046a0daa777874e9882c7ef4bc57fcff31471
parentAvoid repetition of "this config may cache passwords in memory" (v2) (diff)
downloadopenvpn-233105d2c9d1a2c6911342d8249b19310e94c251.tar.xz
OCSP_check.sh: new check logic
contrib/OCSP_check/OCSP_check.sh: I discovered that, quite surprisingly, the exit status of "openssl ocsp" is 0 even if the certificate status is "revoked". This means that the logic of the script needs to be rewritten so that it parses the output returned by the query and explicitly looks for a "0x<serial number>: good" line, and exit if either the command has a non-zero exit status, or the above line is not found. Doing that portably without bashisms requires some juggling around, so perhaps the code is slightly less clean now, but it does have many comments. Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
-rw-r--r--contrib/OCSP_check/OCSP_check.sh42
1 files changed, 32 insertions, 10 deletions
diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh
index 2ffe5d6..847be45 100644
--- a/contrib/OCSP_check/OCSP_check.sh
+++ b/contrib/OCSP_check/OCSP_check.sh
@@ -63,27 +63,49 @@ fi
# begin
if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
+
eval serial="\$tls_serial_${cur_depth}"
- # Check that the serial is not empty
+ # To successfully complete, the following must happen:
+ #
+ # - The serial number must not be empty
+ # - The exit status of "openssl ocsp" must be zero
+ # - The output of the above command must contain the line
+ # "0x${serial}: good"
+ #
+ # Everything else fails with exit status 1.
+
if [ -n "$serial" ]; then
# This is only an example; you are encouraged to run this command (without
# redirections) manually against your or your CA's OCSP server to see how
# it responds, and adapt accordingly.
- # Sample output:
+ # Sample output that is assumed here:
#
# Response verify OK
# 0x428740A5: good
# This Update: Apr 24 19:38:49 2010 GMT
# Next Update: May 2 14:23:42 2010 GMT
-
- openssl ocsp -issuer "$issuer" \
- "$nonce" \
- -CAfile "$verify" \
- -url "$ocsp_url" \
- -serial "0x${serial}" >/dev/null 2>&1
- else
- exit 1
+ #
+ # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL
+ # can in some circumstances give a "good" result if it could not
+ # reach the the OSCP server. In this case, the exit code will indicate
+ # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0,
+ # don't trust the OpenSSL status.
+
+ status=$(openssl ocsp -issuer "$issuer" \
+ "$nonce" \
+ -CAfile "$verify" \
+ -url "$ocsp_url" \
+ -serial "0x${serial}" 2>/dev/null)
+
+ if [ $? -eq 0 ]; then
+ # check that it's good
+ if echo "$status" | grep -Fq "0x${serial}: good"; then
+ exit 0
+ fi
+ fi
fi
+ # if we get here, something was wrong
+ exit 1
fi