34 lines
1.1 KiB
Bash
Executable File
34 lines
1.1 KiB
Bash
Executable File
#!/bin/bash
|
|
# OpenVPN passes cert depth as $1
|
|
depth=$1
|
|
|
|
# Only check client certificate (depth 0)
|
|
env >> /etc/openvpn/server/ocsp_env.log
|
|
if [ "$depth" -eq 0 ]; then
|
|
echo "Checking OCSP for serial=$tls_serial_0" >> /etc/openvpn/server/ocsp.log
|
|
if [ -n "$tls_serial_0" ]; then
|
|
# OpenVPN exports tls_serial_0 as decimal, OpenSSL expects hex
|
|
hex_serial=$(printf '%x' "$tls_serial_0")
|
|
status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>>/etc/openvpn/server/ocsp.log)
|
|
echo "OCSP Status: $status" >> /etc/openvpn/server/ocsp.log
|
|
|
|
if echo "$status" | grep -q "revoked"; then
|
|
echo "Result: REVOKED" >> /etc/openvpn/server/ocsp.log
|
|
exit 1
|
|
fi
|
|
|
|
if echo "$status" | grep -q "good"; then
|
|
echo "Result: GOOD" >> /etc/openvpn/server/ocsp.log
|
|
exit 0
|
|
fi
|
|
|
|
echo "Result: UNKNOWN/ERROR" >> /etc/openvpn/server/ocsp.log
|
|
exit 1
|
|
else
|
|
echo "tls_serial_0 is empty!" >> /etc/openvpn/server/ocsp.log
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
exit 0
|