test script for ocsp support for openvpn @ opnsense

ocsp_check.sh

#!/bin/sh

# based on https://github.com/OpenVPN/openvpn/blob/master/contrib/OCSP_check/OCSP_check.sh
# for testing ocsp support in openvpn @ opnsense

# OCSP responder URL (mandatory)
# you can extract this from the cert ...
ocsp_url=`openssl x509 -in /var/etc/openvpn/server${1}.ca -noout -ocsp_uri`

# CA CERTIFICATE
issuer="/var/etc/openvpn/server${1}.ca"

# https://www.openssl.org/docs/man3.0/man3/OCSP_check_nonce.html
# use a nonce in the query, set to "-no_nonce" to not use it
nonce="-nonce"

# Verify the response
verify="/var/etc/openvpn/server${1}.ca"

# Depth in the certificate chain where the cert to verify is.
# "0" is the usual value 
check_depth=0

# openvpn instance
serverid=$1
openvpn_server="openvpn_server$1"
cur_depth=$2     # this is the *CURRENT* depth
common_name=$3   # CN in case you need it

logger -t "$openvpn_server" "OCSP: call of $0 with $@"
logger -t "$openvpn_server" "OCSP: call of $0 with cur_depth=$cur_depth"
logger -t "$openvpn_server" "OCSP: call of $0 with common_name=$common_name"
# debug env
logger -t "$openvpn_server" "OCSP: `set`"

# minimal sanity checks

err=0
if [ -z "$issuer" ] || [ ! -e "$issuer" ]; then
  logger -t "$openvpn_server" "OCSP: Error: issuer certificate undefined or not found!" >&2
  err=1
fi

if [ -z "$verify" ] || [ ! -e "$verify" ]; then
  logger -t "$openvpn_server" "OCSP: Error: verification certificate undefined or not found!" >&2
  err=1
fi

if [ -z "$ocsp_url" ]; then
  logger -t "$openvpn_server" "OCSP: Error: OCSP server URL not defined!" >&2
  err=1
fi

if [ $err -eq 1 ]; then
  logger -t "$openvpn_server" "OCSP: ERROR: Did you forget to customize the variables in the script?"
  exit 1
fi

# begin
if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then

  # serial from env
  eval serial="\$tls_serial_${cur_depth}"
  logger -t "$openvpn_server" "OCSP: serial: $serial"

  if [ -n "$serial" ]; then

    status=$(openssl ocsp -issuer "$issuer" \
                    "$nonce" \
                    -CAfile "$verify" \
                    -url "$ocsp_url" \
                    -serial "${serial}" 2>&1)
    #logger -t "$openvpn_server" "OCSP: openssl ocsp -issuer \"$issuer\" \"$nonce\" -CAfile \"$verify\" -url \"$ocsp_url\" -serial \"${serial}\""
    logger -t "$openvpn_server" "OCSP: status: $status"

    if [ $? -eq 0 ]; then
      logger -t "$openvpn_server" "OCSP: status: $status"
      # check if ocsp didn't report any errors
      if echo "$status" | grep -Eq "(error|fail)"; then
        logger -t "$openvpn_server" "OCSP: found error|fail in status"
        exit 1
      fi
      # check that the reported status of certificate is ok
      if echo "$status" | grep -Eq "^${serial}: good"; then
        logger -t "$openvpn_server" "OCSP: serial $serial is good"
        # check if signature on the OCSP response verified correctly
        if echo "$status" | grep -Eq "^Response verify OK"; then
            logger -t "$openvpn_server" "OCSP: Response verify OK"
            exit 0
        fi
      elif echo "$status" | grep -Eq "^${serial}: revoked"; then
        logger -t "$openvpn_server" "OCSP: serial $serial revoked"
        exit 1
      else
        logger -t "$openvpn_server" "OCSP: serial $serial status undefined"
        exit 1
      fi
    else
      logger -t "$openvpn_server" "OCSP: ERROR: ocsp query exited with error code $?"
      logger -t "$openvpn_server" "OCSP: ERROR: status: $status"
    fi
  fi
  # if we get here, something was wrong
  logger -t "$openvpn_server" "OCSP: ERROR: ... something was wrong"
  exit 1
fi

related to opnsense/core#6838

you can extract the ocsp endpoint from the Authority Information Access entry:
openssl x509 -in /var/etc/openvpn/server${1}.ca -noout -ocsp_uri

edit /var/etc/openvpn/server1.confand set:
tls-verify "/usr/local/opnsense/scripts/openvpn/ocsp_check.sh '1'"