Skip to content

Instantly share code, notes, and snippets.

@BlackthornYugen

BlackthornYugen/ocsp_test.md

Last active February 23, 2016 17:57
Show Gist options
  • Save BlackthornYugen/772108283bead29f4e1d to your computer and use it in GitHub Desktop.
Save BlackthornYugen/772108283bead29f4e1d to your computer and use it in GitHub Desktop.
Download ZIP
This is a script that verifies a site's certificate using OCSP via openssl
Raw
ocsp_test.md

OCSP Test

Examples

Good certificate

sh ./ocsp_test.sh google.ca
======== Downloading certificates ========
Saving certificate in "ssl_certificate_nAy.pem"...
10.8kB 0:00:00 [ 124kB/s] [   <=>                                                                                                                                                                  ]
Saving certificate chain in "ssl_certificate_chain_kL9.pem"...
2.63kB 0:00:00 [  40kB/s] [   <=>                                                                                                                                                                  ]

============ Locating OCSP URI ===========
The full OCSP address is "http://clients1.google.com/ocsp", so the host is "clients1.google.com"

======= Performing OCSP Validation =======
WARNING: no nonce in response
Response verify OK
/tmp/ssl_certificate_nAy.pem: good
	This Update: Aug 23 07:01:21 2015 GMT
	Next Update: Aug 30 07:01:21 2015 GMT

=========== Removing temp files ==========
removed ‘/tmp/ssl_certificate_nAy.pem’
removed ‘/tmp/ssl_certificate_chain_kL9.pem’

Bad Certificate

sh ./ocsp_test.sh test-sspev.verisign.com 2443
======== Downloading certificates ========
Saving certificate in "ssl_certificate_21q.pem"...
   2kB 0:00:00 [5.03kB/s] [   <=>                                                                                                                                                                  ]
Saving certificate chain in "ssl_certificate_chain_bmS.pem"...
 3.5kB 0:00:00 [13.1kB/s] [   <=>                                                                                                                                                                  ]

============ Locating OCSP URI ===========
The full OCSP address is "http://sr.symcd.com", so the host is "sr.symcd.com"

======= Performing OCSP Validation =======
WARNING: no nonce in response
Response Verify Failure
140545422997152:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate
/tmp/ssl_certificate_21q.pem: revoked
	This Update: Jul  7 22:38:29 2015 GMT
	Next Update: Oct  3 10:24:12 2015 GMT
	Reason: unspecified
	Revocation Time: Oct 29 21:29:37 2014 GMT

=========== Removing temp files ==========
removed ‘/tmp/ssl_certificate_21q.pem’
removed ‘/tmp/ssl_certificate_chain_bmS.pem’

Common Errors

OCSP_basic_verify:certificate verify error

For the purpose of this script, I allways check the OCSP against the same cert that signed the website's certificate. This error means that the CA didn't use the same cert to sign the OCSP response, the RFC says they should but don't have to.

WARNING: no nonce in response

Most CAs will cache OCSP responses for performance reasons so they will not be able to respond with nonse. If you don't like this in the output you can add -no_nonce

Raw
ocsp_test.sh
#!/bin/bash
# USAGE: sh ./ocsp_test.sh [host] [port]
# This is a script that verifies a site's certificate using OCSP via openssl
HOST=${1:-"steelcomputers.com"} # Use first arg or steelcomputers for host
PORT=${2:-"443"} # use second arg or 443 as port
TEMP_CERT_FILE=`mktemp -t ssl_certificate_XXX.pem`
TEMP_CERT_CHAIN_FILE=`mktemp -t ssl_certificate_chain_XXX.pem`
fileprogress() {
if hash pv 2>/dev/null; then
# Use pv to display file progress if it's installed
cat | pv
else
# Just send the data along if pv isn't installed
cat
fi
}
printf "======== Downloading certificates ========\n"
echo "Saving certificate in \"`basename $TEMP_CERT_FILE`\"..."
# Download the certificate, use sed to get the pem formatted cert, display download & save
openssl s_client -connect $HOST:$PORT 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' |
fileprogress > $TEMP_CERT_FILE
echo "Saving certificate chain in \"`basename $TEMP_CERT_CHAIN_FILE`\"..."
# sed the pem certs, perl to delete the one we have already
openssl s_client -connect $HOST:$PORT 2>&1 -showcerts < /dev/null |
sed -n '/-----BEGIN/,/-----END/p' |
perl -0777 -pe 's/.*?-{5}END\sCERTIFICATE-{5}\n//s' |
fileprogress > $TEMP_CERT_CHAIN_FILE
printf "\n============ Locating OCSP URI ===========\n"
# Get the OCSP address from the certificate that we downloaded
SSL_OCSP_ADDRESS=`openssl x509 -noout -ocsp_uri -in $TEMP_CERT_FILE`
SSL_OCSP_HOST=`echo $SSL_OCSP_ADDRESS | awk -F/ '{print $3}'`
echo "The full OCSP address is \"$SSL_OCSP_ADDRESS\", so the host is \"$SSL_OCSP_HOST\""
printf "\n======= Performing OCSP Validation =======\n"
# Request verification on the status of the certificate where both the OCSP and CERT are signed by
# the same certificate. Some OCSP servers require that the host header is specified, add -text
# to get more detailed output
openssl ocsp -issuer $TEMP_CERT_CHAIN_FILE -cert $TEMP_CERT_FILE -url $SSL_OCSP_ADDRESS \
-header "HOST" $SSL_OCSP_HOST -VAfile $TEMP_CERT_CHAIN_FILE
printf "\n=========== Removing temp files ==========\n"
rm -v $TEMP_CERT_FILE $TEMP_CERT_CHAIN_FILE
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment