vasco/FSI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: vasco:c175b85239c9c508ef2de5933e99e05a4165dd09
Branches Tags
vasco:main vasco:secret_branch
..
compare: vasco:79d62754a3906eacc7a02abc5aae2b8fc64c1a65
Branches Tags
vasco:main vasco:secret_branch

2 Commits
c175b85239 ... 79d62754a3

Author SHA1 Message Date
Vasco
79d62754a3 merginton 2026-04-28 00:19:02 +01:00
Vasco
7cae69b945 OCSP atualizado 2026-04-28 00:18:28 +01:00
4 changed files with 66 additions and 65 deletions
Expand all files Collapse all files

7
VM_OPENSSL_APACHE.sh
View File

@@ -12,11 +12,8 @@ id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john echo "password" | passwd --stdin john
# dar acesso ao apache para ler o .google_authenticator # dar acesso ao apache para ler o .google_authenticator
groupadd -f totp usermod -aG apache john
usermod -aG totp apache sudo chown apache:apache /home/john/.google_authenticator
usermod -aG totp john
sudo chown apache:totp /home/john/.google_authenticator
sudo chmod 660 /home/john/.google_authenticator sudo chmod 660 /home/john/.google_authenticator
if_dentro="enp0s8" if_dentro="enp0s8"

6
VM_VPN_GATEWAY.sh
View File

@@ -45,8 +45,6 @@ systemctl enable --now openvpn-server@vpn.service
# --- utilizador --- # # --- utilizador --- #
id -u john &>/dev/null || useradd john id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john echo "password" | passwd --stdin john
groupadd -f totp usermod -aG openvpn john
usermod -aG totp john sudo chown john:openvpn /home/john/.google_authenticator
usermod -aG totp openvpn
sudo chown john:totp /home/john/.google_authenticator
sudo chmod 660 /home/john/.google_authenticator sudo chmod 660 /home/john/.google_authenticator

51
conf/ocsp-verify.sh
View File

@@ -1,32 +1,35 @@
#!/bin/bash #!/bin/bash
depth=$1 # fonte: https://github.com/OpenVPN/openvpn/blob/master/contrib/OCSP_check/OCSP_check.sh
env >> /etc/openvpn/server/ocsp_env.log
if [ "$depth" -eq 0 ]; then
echo "Checking OCSP for serial=$tls_serial_0" >> /etc/openvpn/server/ocsp.log
if [ -n "$tls_serial_0" ]; then
# é preciso converter o serial para hexadecimal porque o openssl espera em hex
hex_serial=$(printf '%x' "$tls_serial_0")
status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>>/etc/openvpn/server/ocsp.log)
echo "OCSP Status: $status" >> /etc/openvpn/server/ocsp.log
if echo "$status" | grep -q "revoked"; then ocsp_url="http://10.60.0.1:8888"
echo "Result: REVOKED" >> /etc/openvpn/server/ocsp.log issuer="/etc/openvpn/server/ca.crt"
exit 1 nonce="-no_nonce"
fi verify="/etc/openvpn/server/ca.crt"
check_depth=0
if echo "$status" | grep -q "good"; then cur_depth=$1
echo "Result: GOOD" >> /etc/openvpn/server/ocsp.log common_name=$2
exit 0
fi
echo "Result: UNKNOWN/ERROR" >> /etc/openvpn/server/ocsp.log if [ -z "$issuer" ] || [ ! -e "$issuer" ] || [ -z "$verify" ] || [ ! -e "$verify" ] || [ -z "$ocsp_url" ]; then
exit 1 exit 1
else
echo "tls_serial_0 is empty!" >> /etc/openvpn/server/ocsp.log
exit 1
fi
fi fi
echo "ERROR: depth > 0" >> /etc/openvpn/server/ocsp.log if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
eval serial="\$tls_serial_${cur_depth}"
exit 0 if [ -n "$serial" ]; then
status=$(openssl ocsp -issuer "$issuer" "$nonce" -CAfile "$verify" -url "$ocsp_url" -serial "${serial}" 2>&1)
if [ $? -eq 0 ]; then
if echo "$status" | grep -Eq "(error|fail)"; then
exit 1
fi
if echo "$status" | grep -Eq "^${serial}: good" && echo "$status" | grep -Eq "^Response verify OK"; then
exit 0
fi
fi
fi
exit 1
fi

51
relatorio/relatorio.tex
View File

@@ -252,37 +252,40 @@ e verifica o resultado.
\begin{codeblock}{ocsp\_verify.sh} \begin{codeblock}{ocsp\_verify.sh}
#!/bin/bash #!/bin/bash
depth=$1 # fonte: https://github.com/OpenVPN/openvpn/blob/master/contrib/OCSP_check/OCSP_check.sh
env >> /etc/openvpn/server/ocsp_env.log
if [ "$depth" -eq 0 ]; then
echo "Checking OCSP for serial=$tls_serial_0" >> /etc/openvpn/server/ocsp.log
if [ -n "$tls_serial_0" ]; then
# e preciso converter o serial para hexadecimal porque o openssl espera em hex
hex_serial=$(printf '%x' "$tls_serial_0")
status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>>/etc/openvpn/server/ocsp.log)
echo "OCSP Status: $status" >> /etc/openvpn/server/ocsp.log
if echo "$status" | grep -q "revoked"; then ocsp_url="http://10.60.0.1:8888"
echo "Result: REVOKED" >> /etc/openvpn/server/ocsp.log issuer="/etc/openvpn/server/ca.crt"
exit 1 nonce="-no_nonce"
fi verify="/etc/openvpn/server/ca.crt"
check_depth=0
if echo "$status" | grep -q "good"; then cur_depth=$1
echo "Result: GOOD" >> /etc/openvpn/server/ocsp.log common_name=$2
exit 0
fi
echo "Result: UNKNOWN/ERROR" >> /etc/openvpn/server/ocsp.log if [ -z "$issuer" ] || [ ! -e "$issuer" ] || [ -z "$verify" ] || [ ! -e "$verify" ] || [ -z "$ocsp_url" ]; then
exit 1 exit 1
else
echo "tls_serial_0 is empty!" >> /etc/openvpn/server/ocsp.log
exit 1
fi
fi fi
echo "ERROR: depth > 0" >> /etc/openvpn/server/ocsp.log if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
eval serial="\$tls_serial_${cur_depth}"
exit 0 if [ -n "$serial" ]; then
status=$(openssl ocsp -issuer "$issuer" "$nonce" -CAfile "$verify" -url "$ocsp_url" -serial "${serial}" 2>&1)
if [ $? -eq 0 ]; then
if echo "$status" | grep -Eq "(error|fail)"; then
exit 1
fi
if echo "$status" | grep -Eq "^${serial}: good" && echo "$status" | grep -Eq "^Response verify OK"; then
exit 0
fi
fi
fi
exit 1
fi
\end{codeblock} \end{codeblock}
\subsection{Erros} \subsection{Erros}