Project

General

Profile

Actions

Bug #11830

closed

Certificate validation with OCSP always fails in ``openvpn.tls-verify.php``

Added by Konstantin Panchenko 6 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
04/20/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
Affected Architecture:
All

Description

Certificate validation by the script will always fail:
1. exec function used to call "openssl ocsp" returns only the last line of the output, which contains only date of the next update of OCSP, parsing of the line will fail.
2. without option -resp_text openssl returns only certificate serial with addition of "good/revoked" and OCSP update date. Line "Response verify OK" is on the console but not captured in the return.

To resolve both issues additional array parameter must be passed to exec function to accumulate complete "openssl ocsp" output and analyze it. To simplify array can be imploded to a single string and regx used to validate output. The following code tested and works in my environment:

$status = exec("/usr/bin/openssl ocsp -resp_text -issuer " . escapeshellarg($issuer)
. " -no_nonce"
. " -CApath " . escapeshellarg($capath)
. " -url " . escapeshellarg($ovpns['ocspurl'])
. " -serial " . escapeshellarg($serial), $status_out);
$status = implode(",", $status_out);
if (preg_match('/(error|fail)/', $status)) {
echo "FAILED";
closelog();
return;
} else if (preg_match('/Cert Status: good/', $status)) {
if (preg_match('/OCSP Response Status: successful \(0x0\)/', $status)) {
break;
}
} else {
echo "FAILED";
closelog();
return;
}

I would also suggest to add additional logging for success / failure.

Actions

Also available in: Atom PDF