Bug #11830
closed
Certificate validation with OCSP always fails in ``openvpn.tls-verify.php``
0%
Description
Certificate validation by the script will always fail:
1. exec function used to call "openssl ocsp" returns only the last line of the output, which contains only date of the next update of OCSP, parsing of the line will fail.
2. without option -resp_text openssl returns only certificate serial with addition of "good/revoked" and OCSP update date. Line "Response verify OK" is on the console but not captured in the return.
To resolve both issues additional array parameter must be passed to exec function to accumulate complete "openssl ocsp" output and analyze it. To simplify array can be imploded to a single string and regx used to validate output. The following code tested and works in my environment:
$status = exec("/usr/bin/openssl ocsp -resp_text -issuer " . escapeshellarg($issuer)
. " -no_nonce"
. " -CApath " . escapeshellarg($capath)
. " -url " . escapeshellarg($ovpns['ocspurl'])
. " -serial " . escapeshellarg($serial), $status_out);
$status = implode(",", $status_out);
if (preg_match('/(error|fail)/', $status)) {
echo "FAILED";
closelog();
return;
} else if (preg_match('/Cert Status: good/', $status)) {
if (preg_match('/OCSP Response Status: successful \(0x0\)/', $status)) {
break;
}
} else {
echo "FAILED";
closelog();
return;
}
I would also suggest to add additional logging for success / failure.
Files
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by Anonymous 
Updated by 
Updated by