26 lines
720 B
Bash
Executable File
26 lines
720 B
Bash
Executable File
#!/bin/bash
|
|
# OpenVPN passes cert depth as $1
|
|
depth=$1
|
|
|
|
# Only check client certificate (depth 0)
|
|
if [ "$depth" -eq 0 ]; then
|
|
if [ -n "$tls_serial_0" ] && [ -n "$peer_cert" ]; then
|
|
# Check OCSP against the CA
|
|
# Assuming OpenSSL server runs on 10.60.0.1:8888 for OCSP
|
|
status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -cert "$peer_cert" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
|
|
|
|
if echo "$status" | grep -q "cert: revoked"; then
|
|
exit 1
|
|
fi
|
|
|
|
if echo "$status" | grep -q "cert: good"; then
|
|
exit 0
|
|
fi
|
|
|
|
# If unknown or error, fail safe
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
exit 0
|