Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCSP_check.sh fixes #17

Closed
wants to merge 2 commits into from
Closed

OCSP_check.sh fixes #17

wants to merge 2 commits into from

Conversation

tomato42
Copy link
Contributor

OCSP_check.sh doesn't verify multiple error conditions, fix those issues.

@tomato42
ocsp_check - signature verification and cert staus results are separate
ed5cbd2 
when openssl returns result of parsing and verification of the
OCSP response, the signature verification is separate from the certificate
status, as such it's necessary to check both of them.

Otherwise results like:

Response Verify Failure
140170966779776:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:85:
ca/cert.pem: good
        This Update: Sep 23 12:12:28 2014 GMT

will be accepted as being trustworthy.

Note that "Response verify OK" is printed on stderr, so it can't
be discarded.

Signed-off-by: Hubert Kario <hkario@redhat.com>
@tomato42
ocsp_check - double check if ocsp didn't report any errors in execution
f4b3202 
in case the reposnses are too old, ocsp tool can return text like this:

Response verify OK
ca/cert.pem: WARNING: Status times invalid.
139990703290240:error:2707307D:OCSP routines:OCSP_check_validity:status expired:ocsp_cl.c:358:
good
        This Update: Sep 21 12:12:48 2014 GMT
        Next Update: Sep 22 12:12:48 2014 GMT

light change in buffering can cause "verify OK" and "ca/cert.pem: good"
to be placed in a way that matching will be valid
lstipakov pushed a commit to lstipakov/openvpn that referenced this pull request Oct 13, 2015
@hessu
Merge pull request OpenVPN#17 in CLP/fs-openvpn from ~STIPLE/fs-openv…
1586a84 
…pn:feature/peer-id to feature/peer-id

* commit '0d96573ca77ce9a6fc5452aaadd70ef49aa1f2a1':
  Update changelog
  Fix mssfix default value
  New approach to handle peer-id related changes to link-mtu.
  Remove ENABLE_SSL define (and --disable-ssl configure option)
@syzzer
Copy link
Member

syzzer commented May 19, 2016

This has been merged as commits e0c9e84 and 51390f4.

@syzzer syzzer closed this May 19, 2016
kevinmkane added a commit to microsoft/openvpn that referenced this pull request Mar 31, 2020
@kevinmkane
Add key exchange algorithm information to control channel detail prin…
7340e6b 
…ting; fixes OpenVPN#17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tomato42 @syzzer