summaryrefslogtreecommitdiffstats
path: root/functions/ocsp.php
diff options
context:
space:
mode:
Diffstat (limited to 'functions/ocsp.php')
-rw-r--r--functions/ocsp.php6
1 files changed, 3 insertions, 3 deletions
diff --git a/functions/ocsp.php b/functions/ocsp.php
index 8a5e54e..b9cefcb 100644
--- a/functions/ocsp.php
+++ b/functions/ocsp.php
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
function ocsp_stapling($host, $ip, $port) {
+ //used openssl cli to check if host has enabled oscp stapling.
global $timeout;
if (filter_var(preg_replace('/[^A-Za-z0-9\.\:_-]/', '', $ip), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
// ipv6 openssl tools are broken. (https://rt.openssl.org/Ticket/Display.html?id=1365&user=guest&pass=guest)
@@ -50,6 +51,7 @@ function ocsp_stapling($host, $ip, $port) {
}
function ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri) {
+ //uses openssl cli to validate cert status with ocsp
global $random_blurp, $timeout;
$result = array();
$tmp_dir = '/tmp/';
@@ -65,8 +67,6 @@ function ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri) {
// Some OCSP's want HTTP/1.1 but OpenSSL does not do that. Add Host header as workaround.
$ocsp_host = parse_url($ocsp_uri, PHP_URL_HOST);
- //pre_dump('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc.' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1');
-
$output = shell_exec('timeout ' . $timeout . ' | openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc .' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1');
$filter_output = shell_exec('timeout ' . $timeout . ' | openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$isser_loc .' -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "'. $tmp_dir.$random_blurp.'.cert_client.pem"');
@@ -105,7 +105,7 @@ function ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri) {
$result["revocation_time"] = $lines["Revocation Time"];
}
$result["ocsp_uri"] = $ocsp_uri;
-
+ //remove temp files after use
unlink($tmp_dir.$random_blurp.'.cert_client.pem');
unlink($tmp_dir.$random_blurp.'.cert_issuer.pem');
generated by cgit v1.1 at 2025-06-01 22:29:24 +0000