diff options
| author | Glenn Strauss <gstrauss@gluelogic.com> | 2020-06-09 02:32:27 -0400 |
|---|---|---|
| committer | Glenn Strauss <gstrauss@gluelogic.com> | 2020-07-08 22:51:31 -0400 |
| commit | 0563407d09e9521e5fd06e39574401cc36ff865c (patch) | |
| tree | 26e7a77b00b7007fcdcbb3cb72626fe52bec2521 /doc | |
| parent | b2b6257c7acb8789c0c547f732792a035cf796ff (diff) | |
| download | lighttpd-git-0563407d09e9521e5fd06e39574401cc36ff865c.tar.gz | |
[TLS] cert-staple.sh - refresh OCSP responses (#2469)
convenience script that can be run periodically from scheduled job
to refresh OCSP responses used for OCSP stapling
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/scripts/Makefile.am | 1 | ||||
| -rwxr-xr-x | doc/scripts/cert-staple.sh | 63 |
2 files changed, 64 insertions, 0 deletions
diff --git a/doc/scripts/Makefile.am b/doc/scripts/Makefile.am index b07b8a2f..71a830e0 100644 --- a/doc/scripts/Makefile.am +++ b/doc/scripts/Makefile.am @@ -1,4 +1,5 @@ EXTRA_DIST= \ + cert-staple.sh \ create-mime.conf.pl \ rrdtool-graph.sh \ spawn-php.sh diff --git a/doc/scripts/cert-staple.sh b/doc/scripts/cert-staple.sh new file mode 100755 index 00000000..6725a187 --- /dev/null +++ b/doc/scripts/cert-staple.sh @@ -0,0 +1,63 @@ +#!/bin/sh + +CERT_PEM="$1" # input (cert.pem) +CHAIN_PEM="$2" # input (chain.pem) +OCSP_DER="$3" # output symlink (staple.der) + +OCSP_TMP="" # temporary file + +if [[ -z "$CERT_PEM" ]] || [[ -z "$CHAIN_PEM" ]] || [[ -z "$OCSP_DER" ]] \ + || [[ ! -f "$CERT_PEM" ]] || [[ ! -f "$CHAIN_PEM" ]]; then + echo 1>&2 "usage: cert-staple.sh cert.pem chain.pem staple.der" + exit 1 +fi + +function errexit { + [[ -n "$OCSP_TMP" ]] && rm -f "$OCSP_TMP" + exit 1 +} + +# get URI of OCSP responder from certificate +OCSP_URI=$(openssl x509 -in "$CERT_PEM" -ocsp_uri -noout) +[[ $? = 0 ]] && [[ -n "$OCSP_URI" ]] || exit 1 + +# get OCSP response from OCSP responder +OCSP_TMP="$OCSP_DER.$$" +OCSP_RESP=$(openssl ocsp -issuer "$CHAIN_PEM" -cert "$CERT_PEM" -respout "$OCSP_TMP" -noverify -no_nonce -url "$OCSP_URI") +[[ $? = 0 ]] || errexit + +# parse OCSP response from OCSP responder +# +#$CERT_PEM: good +# This Update: Jun 5 21:00:00 2020 GMT +# Next Update: Jun 12 21:00:00 2020 GMT + +ocsp_status="$(printf %s "$OCSP_RESP" | head -1)" +[[ "$ocsp_status" = "$CERT_PEM: good" ]] || errexit + +next_update="$(printf %s "$OCSP_RESP" | grep 'Next Update:')" +next_date="$(printf %s "$next_update" | sed 's/.*Next Update: //')" +[[ -n "$next_date" ]] || errexit +ocsp_expire=$(date -d "$next_date" +%s) + +# validate OCSP response +ocsp_verify=$(openssl ocsp -issuer "$CHAIN_PEM" -cert "$CERT_PEM" -respin "$OCSP_TMP" -no_nonce -out /dev/null 2>&1) +[[ "$ocsp_verify" = "Response verify OK" ]] || errexit + +# rename and update symlink to install OCSP response to be used in OCSP stapling +OCSP_OUT="$OCSP_DER.$ocsp_expire" +mv "$OCSP_TMP" "$OCSP_OUT" || errexit +OCSP_TMP="" +ln -sf "${OCSP_OUT##*/}" "$OCSP_DER" || errexit + +# debug: display text output of OCSP .der file +#openssl ocsp -respin "$OCSP_DER" -resp_text -noverify + +# remove old OCSP responses which have expired +now=$(date +%s) +for i in "$OCSP_DER".*; do + ts="${i#${OCSP_DER}.}" + if [[ -n "$ts" ]] && [[ "$ts" -lt "$now" ]]; then + rm -f "$i" + fi +done |