Merge branch 'NickMRamirez-partialchain'
This commit is contained in:
commit
169516d9da
19
hapos-upd
19
hapos-upd
|
@ -30,6 +30,7 @@ OCSP_HOST=""
|
||||||
VERIFY=1
|
VERIFY=1
|
||||||
TMP=""
|
TMP=""
|
||||||
SKIP_UPDATE=0
|
SKIP_UPDATE=0
|
||||||
|
PARTIAL_CHAIN=""
|
||||||
|
|
||||||
function Quit() {
|
function Quit() {
|
||||||
if [ $KEEP_TEMP -eq 0 ]; then
|
if [ $KEEP_TEMP -eq 0 ]; then
|
||||||
|
@ -140,6 +141,10 @@ Options:
|
||||||
'Host:' header; use this instead of the one
|
'Host:' header; use this instead of the one
|
||||||
extracted from the OCSP server URL.
|
extracted from the OCSP server URL.
|
||||||
|
|
||||||
|
--partial-chain : Allow partial certificate chain if at least one certificate
|
||||||
|
is in trusted store. Useful when validating an intermediate
|
||||||
|
certificate without the root CA.
|
||||||
|
|
||||||
-s, --socket file : haproxy admin socket. If omitted,
|
-s, --socket file : haproxy admin socket. If omitted,
|
||||||
$HAPROXY_ADMIN_SOCKET_DEFAULT is used by default.
|
$HAPROXY_ADMIN_SOCKET_DEFAULT is used by default.
|
||||||
This script is distributed with only one
|
This script is distributed with only one
|
||||||
|
@ -196,6 +201,10 @@ do
|
||||||
VERIFY=0
|
VERIFY=0
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
--partial-chain)
|
||||||
|
PARTIAL_CHAIN="-partial_chain"
|
||||||
|
;;
|
||||||
|
|
||||||
-l|--syslog)
|
-l|--syslog)
|
||||||
if [ $# -le 1 ]; then
|
if [ $# -le 1 ]; then
|
||||||
Error 9 "mandatory value is missing for $1 argument"
|
Error 9 "mandatory value is missing for $1 argument"
|
||||||
|
@ -423,7 +432,7 @@ else
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# check if the EE certificate validates against the chain
|
# check if the EE certificate validates against the chain
|
||||||
$OPENSSL_BIN verify -CAfile $TMP/chain.pem $TMP/ee.pem &>>$TMP/log
|
$OPENSSL_BIN verify $PARTIAL_CHAIN -CAfile $TMP/chain.pem $TMP/ee.pem &>>$TMP/log
|
||||||
|
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
if [ -e $CERT.issuer ]; then
|
if [ -e $CERT.issuer ]; then
|
||||||
|
@ -442,11 +451,11 @@ $OPENSSL_BIN version | grep "OpenSSL 1.0" &>/dev/null
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
# OpenSSL 1.0.x
|
# OpenSSL 1.0.x
|
||||||
|
|
||||||
$OPENSSL_BIN ocsp -issuer $TMP/chain.pem -cert $TMP/ee.pem \
|
$OPENSSL_BIN ocsp $PARTIAL_CHAIN -issuer $TMP/chain.pem -cert $TMP/ee.pem \
|
||||||
-respout $TMP/ocsp.der -noverify \
|
-respout $TMP/ocsp.der -noverify \
|
||||||
-no_nonce -url $OCSP_URL -header "Host" "$OCSP_HOST" &>>$TMP/log
|
-no_nonce -url $OCSP_URL -header "Host" "$OCSP_HOST" &>>$TMP/log
|
||||||
else
|
else
|
||||||
$OPENSSL_BIN ocsp -issuer $TMP/chain.pem -cert $TMP/ee.pem \
|
$OPENSSL_BIN ocsp $PARTIAL_CHAIN -issuer $TMP/chain.pem -cert $TMP/ee.pem \
|
||||||
-respout $TMP/ocsp.der -noverify \
|
-respout $TMP/ocsp.der -noverify \
|
||||||
-no_nonce -url $OCSP_URL -header "Host=$OCSP_HOST" &>>$TMP/log
|
-no_nonce -url $OCSP_URL -header "Host=$OCSP_HOST" &>>$TMP/log
|
||||||
fi
|
fi
|
||||||
|
@ -461,11 +470,11 @@ if [ $VERIFY -eq 0 ]; then
|
||||||
VERIFYOPT="-noverify"
|
VERIFYOPT="-noverify"
|
||||||
fi
|
fi
|
||||||
if [ -z "$VAFILE" ]; then
|
if [ -z "$VAFILE" ]; then
|
||||||
$OPENSSL_BIN ocsp $VERIFYOPT -issuer $TMP/chain.pem -cert $TMP/ee.pem \
|
$OPENSSL_BIN ocsp $PARTIAL_CHAIN $VERIFYOPT -issuer $TMP/chain.pem -cert $TMP/ee.pem \
|
||||||
-respin $TMP/ocsp.der -no_nonce -CAfile $TMP/chain.pem \
|
-respin $TMP/ocsp.der -no_nonce -CAfile $TMP/chain.pem \
|
||||||
-out $TMP/ocsp.txt &>>$TMP/ocsp-verify.txt
|
-out $TMP/ocsp.txt &>>$TMP/ocsp-verify.txt
|
||||||
else
|
else
|
||||||
$OPENSSL_BIN ocsp $VERIFYOPT -issuer $TMP/chain.pem -cert $TMP/ee.pem \
|
$OPENSSL_BIN ocsp $PARTIAL_CHAIN $VERIFYOPT -issuer $TMP/chain.pem -cert $TMP/ee.pem \
|
||||||
-respin $TMP/ocsp.der -no_nonce -CAfile $TMP/chain.pem \
|
-respin $TMP/ocsp.der -no_nonce -CAfile $TMP/chain.pem \
|
||||||
-VAfile $VAFILE \
|
-VAfile $VAFILE \
|
||||||
-out $TMP/ocsp.txt &>>$TMP/ocsp-verify.txt
|
-out $TMP/ocsp.txt &>>$TMP/ocsp-verify.txt
|
||||||
|
|
Loading…
Reference in New Issue