From de0fb97e71f0bc63f59ad8a6cfa19dc4914f2514 Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Thu, 16 Oct 2014 12:40:17 +0200
Subject: Update OpenVPN

--HG--
extra : rebase_source : eae76bb97139022b5592b2599b7e3870054bcaa9
---
 main/openvpn/contrib/OCSP_check/OCSP_check.sh | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'main/openvpn/contrib')

diff --git a/main/openvpn/contrib/OCSP_check/OCSP_check.sh b/main/openvpn/contrib/OCSP_check/OCSP_check.sh
index 553c3dce..6876c6d8 100644
--- a/main/openvpn/contrib/OCSP_check/OCSP_check.sh
+++ b/main/openvpn/contrib/OCSP_check/OCSP_check.sh
@@ -97,12 +97,19 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
                     "$nonce" \
                     -CAfile "$verify" \
                     -url "$ocsp_url" \
-                    -serial "${serial}" 2>/dev/null)
+                    -serial "${serial}" 2>&1)
 
     if [ $? -eq 0 ]; then
-      # check that it's good
+      # check if ocsp didn't report any errors
+      if echo "$status" | grep -Eq "(error|fail)"; then
+          exit 1
+      fi
+      # check that the reported status of certificate is ok
       if echo "$status" | grep -Fq "^${serial}: good"; then
-        exit 0
+        # check if signature on the OCSP response verified correctly
+        if echo "$status" | grep -Fq "^Response verify OK"; then
+            exit 0
+        fi
       fi
     fi
   fi
-- 
cgit v1.2.3