hmm3

2026-04-21 23:06:47 +01:00
parent 445c99b10e
commit 21a4fb5d08
5 changed files with 38 additions and 9 deletions
--- a/conf/ocsp-verify.sh
+++ b/conf/ocsp-verify.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# OpenVPN passes cert depth as $1
+depth=$1
+
+# Only check client certificate (depth 0)
+if [ "$depth" -eq 0 ]; then
+    if [ -n "$tls_serial_0" ] && [ -n "$peer_cert" ]; then
+        # Check OCSP against the CA
+        # Assuming OpenSSL server runs on 10.60.0.1:8888 for OCSP
+        status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -cert "$peer_cert" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
+        
+        if echo "$status" | grep -q "cert: revoked"; then
+            exit 1
+        fi
+        
+        if echo "$status" | grep -q "cert: good"; then
+            exit 0
+        fi
+        
+        # If unknown or error, fail safe
+        exit 1
+    fi
+fi
+
+exit 0