mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-19 19:42:30 +02:00
ocsp_check - signature verification and cert staus results are separate
when openssl returns result of parsing and verification of the OCSP response, the signature verification is separate from the certificate status, as such it's necessary to check both of them. Otherwise results like: Response Verify Failure 140170966779776:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:85: ca/cert.pem: good This Update: Sep 23 12:12:28 2014 GMT will be accepted as being trustworthy. Note that "Response verify OK" is printed on stderr, so it can't be discarded. Signed-off-by: Hubert Kario <hkario@redhat.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1411727041-11884-1-git-send-email-hkario@redhat.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9054 Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
parent
8a4566ce4f
commit
e0c9e84529
@ -97,12 +97,15 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
|
||||
"$nonce" \
|
||||
-CAfile "$verify" \
|
||||
-url "$ocsp_url" \
|
||||
-serial "${serial}" 2>/dev/null)
|
||||
-serial "${serial}" 2>&1)
|
||||
|
||||
if [ $? -eq 0 ]; then
|
||||
# check that it's good
|
||||
# check that the reported status of certificate is ok
|
||||
if echo "$status" | grep -Fq "^${serial}: good"; then
|
||||
exit 0
|
||||
# check if signature on the OCSP response verified correctly
|
||||
if echo "$status" | grep -Fq "^Response verify OK"; then
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user