ocsp_check - double check if ocsp didn't report any errors in execution

in case the reposnses are too old, ocsp tool can return text like this: Response verify OK ca/cert.pem: WARNING: Status times invalid. 139990703290240:error:2707307D:OCSP routines:OCSP_check_validity:status expired:ocsp_cl.c:358: good This Update: Sep 21 12:12:48 2014 GMT Next Update: Sep 22 12:12:48 2014 GMT light change in buffering can cause "verify OK" and "ca/cert.pem: good" to be placed in a way that matching will be valid Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1411727041-11884-2-git-send-email-hkario@redhat.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9055 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2026-06-09 00:42:51 -04:00 · 2014-09-26 12:24:01 +02:00 · 2014-09-26 12:24:01 +02:00 · 51390f4de4
commit 51390f4de4
parent e0c9e84529
1 changed files with 4 additions and 0 deletions
--- a/contrib/OCSP_check/OCSP_check.sh
+++ b/contrib/OCSP_check/OCSP_check.sh
@ -100,6 +100,10 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
                    -serial "${serial}" 2>&1)

    if [ $? -eq 0 ]; then
+      # check if ocsp didn't report any errors
+      if echo "$status" | grep -Eq "(error|fail)"; then
+          exit 1
+      fi
      # check that the reported status of certificate is ok
      if echo "$status" | grep -Fq "^${serial}: good"; then
        # check if signature on the OCSP response verified correctly