oscp-verifty

VM_OPENSSL.sh

@@ -15,4 +15,5 @@ cp ca/serial $CA_DIR
 cp ca/dh2048.pem $CA_DIR
 
 # correr oscp
+killall openssl 2>/dev/null
 openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &

conf/ocsp-verify.sh

@@ -4,20 +4,25 @@ depth=$1
 
 # Only check client certificate (depth 0)
 if [ "$depth" -eq 0 ]; then
-    if [ -n "$tls_serial_0" ] && [ -n "$peer_cert" ]; then
-        # Check OCSP against the CA
-        # Assuming OpenSSL server runs on 10.60.0.1:8888 for OCSP
-        status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -cert "$peer_cert" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
+    echo "Checking OCSP for peer_cert=$peer_cert" >> /tmp/ocsp.log
+    if [ -n "$peer_cert" ]; then
+        status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -cert "$peer_cert" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>>/tmp/ocsp.log)
+        echo "OCSP Status: $status" >> /tmp/ocsp.log
         
-        if echo "$status" | grep -q "cert: revoked"; then
+        if echo "$status" | grep -q "revoked"; then
+            echo "Result: REVOKED" >> /tmp/ocsp.log
             exit 1
         fi
         
-        if echo "$status" | grep -q "cert: good"; then
+        if echo "$status" | grep -q "good"; then
+            echo "Result: GOOD" >> /tmp/ocsp.log
             exit 0
         fi
         
-        # If unknown or error, fail safe
+        echo "Result: UNKNOWN/ERROR" >> /tmp/ocsp.log
+        exit 1
+    else
+        echo "peer_cert is empty!" >> /tmp/ocsp.log
         exit 1
     fi
 fi