From 0b337a21175257a77205ed136109a65f8b53e9b8 Mon Sep 17 00:00:00 2001
From: Vasco <true.vasco.alves@gmail.com>
Date: Tue, 28 Apr 2026 00:53:37 +0100
Subject: [PATCH] fixed?

---
 conf/ocsp-verify.sh | 30 ++++++++++--------------------
 1 file changed, 10 insertions(+), 20 deletions(-)

diff --git a/conf/ocsp-verify.sh b/conf/ocsp-verify.sh
index 46e2c57..32d740c 100755
--- a/conf/ocsp-verify.sh
+++ b/conf/ocsp-verify.sh
@@ -1,25 +1,15 @@
 #!/bin/bash
-# vagamente baseado nas fontes:
-# - https://github.com/OpenVPN/openvpn/blob/master/contrib/OCSP_check/OCSP_check.sh
-
-cur_depth=$1
-
-if [ "$cur_depth" -eq 0 ]; then
-    eval serial="\$tls_serial_${cur_depth}"
-
-    if [ -n "$serial" ]; then
-        hex_serial=$(printf '%x' "$serial")
-        status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -no_nonce -CAfile /etc/openvpn/server/ca.crt -url http://10.60.0.1:8888 -serial "0x${hex_serial}" 2>&1)
-
-        if [ $? -eq 0 ]; then
-            if echo "$status" | grep -Eq "(error|fail|revoked)"; then
-                exit 1
-            fi
-            if echo "$status" | grep -Eq "good"; then
-                exit 0
-            fi
+depth=$1
+if [ "$depth" -eq 0 ]; then
+    if [ -n "$tls_serial_0" ]; then
+        # é preciso converter o serial para hexadecimal porque o openssl espera em hex
+        hex_serial=$(printf '%x' "$tls_serial_0")
+        status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
+        if echo "$status" | grep -q "good"; then
+            exit 0 # sucesso
         fi
+
+        exit 1 # revogado ou não encontrado
     fi
-    # se chegou aqui, falhou
     exit 1
 fi
\ No newline at end of file