vasco/FSI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

oscp-verifty

Browse Source
This commit is contained in:
Vasco
2026-04-22 00:03:42 +01:00
parent d3e54464db
commit 1d068380db
2 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
VM_OPENSSL.sh
View File

@@ -15,4 +15,5 @@ cp ca/serial $CA_DIR
cp ca/dh2048.pem $CA_DIR
# correr oscp
killall openssl 2>/dev/null
openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &

19
conf/ocsp-verify.sh
View File

@@ -4,20 +4,25 @@ depth=$1
# Only check client certificate (depth 0)
if [ "$depth" -eq 0 ]; then
if [ -n "$tls_serial_0" ] && [ -n "$peer_cert" ]; then
# Check OCSP against the CA
# Assuming OpenSSL server runs on 10.60.0.1:8888 for OCSP
status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -cert "$peer_cert" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
echo "Checking OCSP for peer_cert=$peer_cert" >> /tmp/ocsp.log
if [ -n "$peer_cert" ]; then
status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -cert "$peer_cert" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>>/tmp/ocsp.log)
echo "OCSP Status: $status" >> /tmp/ocsp.log
if echo "$status" | grep -q "cert: revoked"; then
if echo "$status" | grep -q "revoked"; then
echo "Result: REVOKED" >> /tmp/ocsp.log
exit 1
fi
if echo "$status" | grep -q "cert: good"; then
if echo "$status" | grep -q "good"; then
echo "Result: GOOD" >> /tmp/ocsp.log
exit 0
fi
# If unknown or error, fail safe
echo "Result: UNKNOWN/ERROR" >> /tmp/ocsp.log
exit 1
else
echo "peer_cert is empty!" >> /tmp/ocsp.log
exit 1
fi
fi