Fix certificate serial number export

    contrib/OCSP_check/OCSP_check.sh:
             New barebone script to demonstrate how to use $tls_serial_{n}
             to perform simple OCSP queries using OpenSSL command line
             "openssl ocsp". Minimal sanity checks to fail if user tries to
             use it without customizing.

    openvpn.8:
             Added some notes about $tls_serial_{n} format and usage to the
             existing description.

    ssl.c:
             correctly manage and export serial numbers of any size (as
             parsed by OpenSSL) into the environment. Set to empty string
             in case of errors, as 0 and negative numbers are all possible
             (although illegal) certificate serial numbers. Use an OpenSSL
             BIO object to do the job. Conforms to coding style guidelines.

    See the discussion at

    http://article.gmane.org/gmane.network.openvpn.devel/3588

    for more details.

Signed-off-by: Davide Brini <dave_br@gmx.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>

1 files changed, 6 insertions, 1 deletions

diff --git a/openvpn.8 b/openvpn.8
index 707b2ed..eb8fd42 100644
--- a/openvpn.8
+++ b/openvpn.8
@@ -5355,7 +5355,12 @@ where
 is the verification level.  Only set for TLS connections.  Set prior
 to execution of
 .B \-\-tls-verify
-script.
+script. This is in the form of a hex string like "37AB46E0", which is
+suitable for doing serial-based OCSP queries (with OpenSSL, you have
+to prepend "0x" to the string). If something goes wrong while reading
+the value from the certificate it will be an empty string, so your
+code should check that.
+See the contrib/OCSP_check/OCSP_check.sh script for an example.
 .\"*********************************************************
 .TP
 .B tun_mtu