misc
/
haproxy-ocsp-stapling-updater
mirror of https://github.com/pierky/haproxy-ocsp-stapling-updater.git
1
0
Fork 0
Code Releases Activity

Merge branch 'NickMRamirez-partialchain'

This commit is contained in:
Pier Carlo Chiodi 2017-05-22 18:26:51 +02:00
parent cfc5a5e725 c29d5fa165
commit 169516d9da
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
hapos-upd
View File

@ -30,6 +30,7 @@ OCSP_HOST=""
VERIFY=1 VERIFY=1
TMP="" TMP=""
SKIP_UPDATE=0 SKIP_UPDATE=0
PARTIAL_CHAIN=""
function Quit() { function Quit() {
if [ $KEEP_TEMP -eq 0 ]; then if [ $KEEP_TEMP -eq 0 ]; then
@ -140,6 +141,10 @@ Options:
'Host:' header; use this instead of the one 'Host:' header; use this instead of the one
extracted from the OCSP server URL. extracted from the OCSP server URL.
--partial-chain : Allow partial certificate chain if at least one certificate
is in trusted store. Useful when validating an intermediate
certificate without the root CA.
-s, --socket file : haproxy admin socket. If omitted, -s, --socket file : haproxy admin socket. If omitted,
$HAPROXY_ADMIN_SOCKET_DEFAULT is used by default. $HAPROXY_ADMIN_SOCKET_DEFAULT is used by default.
This script is distributed with only one This script is distributed with only one
@ -196,6 +201,10 @@ do
VERIFY=0 VERIFY=0
;; ;;
--partial-chain)
PARTIAL_CHAIN="-partial_chain"
;;
-l|--syslog) -l|--syslog)
if [ $# -le 1 ]; then if [ $# -le 1 ]; then
Error 9 "mandatory value is missing for $1 argument" Error 9 "mandatory value is missing for $1 argument"
@ -423,7 +432,7 @@ else
fi fi
# check if the EE certificate validates against the chain # check if the EE certificate validates against the chain
$OPENSSL_BIN verify -CAfile $TMP/chain.pem $TMP/ee.pem &>>$TMP/log $OPENSSL_BIN verify $PARTIAL_CHAIN -CAfile $TMP/chain.pem $TMP/ee.pem &>>$TMP/log
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
if [ -e $CERT.issuer ]; then if [ -e $CERT.issuer ]; then
@ -442,11 +451,11 @@ $OPENSSL_BIN version | grep "OpenSSL 1.0" &>/dev/null
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
# OpenSSL 1.0.x # OpenSSL 1.0.x
$OPENSSL_BIN ocsp -issuer $TMP/chain.pem -cert $TMP/ee.pem \ $OPENSSL_BIN ocsp $PARTIAL_CHAIN -issuer $TMP/chain.pem -cert $TMP/ee.pem \
-respout $TMP/ocsp.der -noverify \ -respout $TMP/ocsp.der -noverify \
-no_nonce -url $OCSP_URL -header "Host" "$OCSP_HOST" &>>$TMP/log -no_nonce -url $OCSP_URL -header "Host" "$OCSP_HOST" &>>$TMP/log
else else
$OPENSSL_BIN ocsp -issuer $TMP/chain.pem -cert $TMP/ee.pem \ $OPENSSL_BIN ocsp $PARTIAL_CHAIN -issuer $TMP/chain.pem -cert $TMP/ee.pem \
-respout $TMP/ocsp.der -noverify \ -respout $TMP/ocsp.der -noverify \
-no_nonce -url $OCSP_URL -header "Host=$OCSP_HOST" &>>$TMP/log -no_nonce -url $OCSP_URL -header "Host=$OCSP_HOST" &>>$TMP/log
fi fi
@ -461,11 +470,11 @@ if [ $VERIFY -eq 0 ]; then
VERIFYOPT="-noverify" VERIFYOPT="-noverify"
fi fi
if [ -z "$VAFILE" ]; then if [ -z "$VAFILE" ]; then
$OPENSSL_BIN ocsp $VERIFYOPT -issuer $TMP/chain.pem -cert $TMP/ee.pem \ $OPENSSL_BIN ocsp $PARTIAL_CHAIN $VERIFYOPT -issuer $TMP/chain.pem -cert $TMP/ee.pem \
-respin $TMP/ocsp.der -no_nonce -CAfile $TMP/chain.pem \ -respin $TMP/ocsp.der -no_nonce -CAfile $TMP/chain.pem \
-out $TMP/ocsp.txt &>>$TMP/ocsp-verify.txt -out $TMP/ocsp.txt &>>$TMP/ocsp-verify.txt
else else
$OPENSSL_BIN ocsp $VERIFYOPT -issuer $TMP/chain.pem -cert $TMP/ee.pem \ $OPENSSL_BIN ocsp $PARTIAL_CHAIN $VERIFYOPT -issuer $TMP/chain.pem -cert $TMP/ee.pem \
-respin $TMP/ocsp.der -no_nonce -CAfile $TMP/chain.pem \ -respin $TMP/ocsp.der -no_nonce -CAfile $TMP/chain.pem \
-VAfile $VAFILE \ -VAfile $VAFILE \
-out $TMP/ocsp.txt &>>$TMP/ocsp-verify.txt -out $TMP/ocsp.txt &>>$TMP/ocsp-verify.txt