diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2020-09-03 19:16:30 -0400 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2020-10-11 12:19:26 -0400 |
commit | 2cdb862787119497110986b6865ad3ccb4048136 (patch) | |
tree | 61db2a6392fed9faeefd7be1441eb59cad9962a4 /doc | |
parent | 5547530a01fbfdc6cbd132464710ee59aa48b1b4 (diff) | |
download | lighttpd-git-2cdb862787119497110986b6865ad3ccb4048136.tar.gz |
[scripts] cert-staple.sh enhancements
support validation from list of multiple signers
attempt to handle older (end-of-life) versions of OpenSSL
(thx avij)
Diffstat (limited to 'doc')
-rwxr-xr-x | doc/scripts/cert-staple.sh | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/doc/scripts/cert-staple.sh b/doc/scripts/cert-staple.sh index 6725a187..c50a4031 100755 --- a/doc/scripts/cert-staple.sh +++ b/doc/scripts/cert-staple.sh @@ -21,9 +21,17 @@ function errexit { OCSP_URI=$(openssl x509 -in "$CERT_PEM" -ocsp_uri -noout) [[ $? = 0 ]] && [[ -n "$OCSP_URI" ]] || exit 1 +# exception for (unsupported, end-of-life) older versions of OpenSSL +OCSP_HOST= +OPENSSL_VERSION=$(openssl version) +if [[ "${OPENSSL_VERSION}" != "${OPENSSL_VERSION#OpenSSL 1.0.}" ]]; then + # get authority from URI + OCSP_HOST=$(echo "$OCSP_URI" | cut -d/ -f3) +fi + # get OCSP response from OCSP responder OCSP_TMP="$OCSP_DER.$$" -OCSP_RESP=$(openssl ocsp -issuer "$CHAIN_PEM" -cert "$CERT_PEM" -respout "$OCSP_TMP" -noverify -no_nonce -url "$OCSP_URI") +OCSP_RESP=$(openssl ocsp -issuer "$CHAIN_PEM" -cert "$CERT_PEM" -respout "$OCSP_TMP" -noverify -no_nonce -url "$OCSP_URI" ${OCSP_HOST:+-header Host "$OCSP_HOST"}) [[ $? = 0 ]] || errexit # parse OCSP response from OCSP responder @@ -41,7 +49,7 @@ next_date="$(printf %s "$next_update" | sed 's/.*Next Update: //')" ocsp_expire=$(date -d "$next_date" +%s) # validate OCSP response -ocsp_verify=$(openssl ocsp -issuer "$CHAIN_PEM" -cert "$CERT_PEM" -respin "$OCSP_TMP" -no_nonce -out /dev/null 2>&1) +ocsp_verify=$(openssl ocsp -issuer "$CHAIN_PEM" -verify_other "$CHAIN_PEM" -cert "$CERT_PEM" -respin "$OCSP_TMP" -no_nonce -out /dev/null 2>&1) [[ "$ocsp_verify" = "Response verify OK" ]] || errexit # rename and update symlink to install OCSP response to be used in OCSP stapling |