From 27ab61cec7cefa645a1e02834e032eef12907598 Mon Sep 17 00:00:00 2001 From: Hubert Kario Date: Fri, 26 Sep 2014 12:24:01 +0200 Subject: [PATCH] ocsp_check - double check if ocsp didn't report any errors in execution in case the reposnses are too old, ocsp tool can return text like this: Response verify OK ca/cert.pem: WARNING: Status times invalid. 139990703290240:error:2707307D:OCSP routines:OCSP_check_validity:status expired:ocsp_cl.c:358: good This Update: Sep 21 12:12:48 2014 GMT Next Update: Sep 22 12:12:48 2014 GMT light change in buffering can cause "verify OK" and "ca/cert.pem: good" to be placed in a way that matching will be valid Acked-by: Steffan Karger Message-Id: <1411727041-11884-2-git-send-email-hkario@redhat.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9055 Signed-off-by: Gert Doering (cherry picked from commit 51390f4de4f02edf377d55a7ef108798d2d8dc88) --- contrib/OCSP_check/OCSP_check.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh index ce7ec0488..6876c6d8c 100644 --- a/contrib/OCSP_check/OCSP_check.sh +++ b/contrib/OCSP_check/OCSP_check.sh @@ -100,6 +100,10 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then -serial "${serial}" 2>&1) if [ $? -eq 0 ]; then + # check if ocsp didn't report any errors + if echo "$status" | grep -Eq "(error|fail)"; then + exit 1 + fi # check that the reported status of certificate is ok if echo "$status" | grep -Fq "^${serial}: good"; then # check if signature on the OCSP response verified correctly -- 2.47.2