diff options
| author | Hubert Kario <hkario@redhat.com> | 2014-09-26 12:24:01 +0200 |
|---|---|---|
| committer | Gert Doering <gert@greenie.muc.de> | 2014-10-05 21:25:16 +0200 |
| commit | 51390f4de4f02edf377d55a7ef108798d2d8dc88 (patch) | |
| tree | b4554fe2717a0097ef310130a020251e21c36217 /contrib | |
| parent | e0c9e8452932a964b556daaeacdf7d9eab133e36 (diff) | |
| download | openvpn-51390f4de4f02edf377d55a7ef108798d2d8dc88.tar.gz openvpn-51390f4de4f02edf377d55a7ef108798d2d8dc88.tar.xz openvpn-51390f4de4f02edf377d55a7ef108798d2d8dc88.zip | |
ocsp_check - double check if ocsp didn't report any errors in execution
in case the reposnses are too old, ocsp tool can return text like this:
Response verify OK
ca/cert.pem: WARNING: Status times invalid.
139990703290240:error:2707307D:OCSP routines:OCSP_check_validity:status
expired:ocsp_cl.c:358:
good
This Update: Sep 21 12:12:48 2014 GMT
Next Update: Sep 22 12:12:48 2014 GMT
light change in buffering can cause "verify OK" and "ca/cert.pem: good"
to be placed in a way that matching will be valid
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1411727041-11884-2-git-send-email-hkario@redhat.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9055
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/OCSP_check/OCSP_check.sh | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh index ce7ec04..6876c6d 100644 --- a/contrib/OCSP_check/OCSP_check.sh +++ b/contrib/OCSP_check/OCSP_check.sh @@ -100,6 +100,10 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then -serial "${serial}" 2>&1) if [ $? -eq 0 ]; then + # check if ocsp didn't report any errors + if echo "$status" | grep -Eq "(error|fail)"; then + exit 1 + fi # check that the reported status of certificate is ok if echo "$status" | grep -Fq "^${serial}: good"; then # check if signature on the OCSP response verified correctly |