Commit 7d5e26cbb53 fixed extracting serial but did not change the format,
which always has been decimal. This patch fixes the manpage and
OSCP.sh script to conform with the implementation.
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1396001222-5033-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8409
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 959d60789b6f0bd74296600f58f626cfa9738f78)
... | ... |
@@ -97,7 +97,7 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then |
97 | 97 |
"$nonce" \ |
98 | 98 |
-CAfile "$verify" \ |
99 | 99 |
-url "$ocsp_url" \ |
100 |
- -serial "0x${serial}" 2>/dev/null) |
|
100 |
+ -serial "${serial}" 2>/dev/null) |
|
101 | 101 |
|
102 | 102 |
if [ $? -eq 0 ]; then |
103 | 103 |
# check that it's good |
... | ... |
@@ -6032,9 +6032,9 @@ where |
6032 | 6032 |
is the verification level. Only set for TLS connections. Set prior |
6033 | 6033 |
to execution of |
6034 | 6034 |
.B \-\-tls-verify |
6035 |
-script. This is in the form of a hex string like "37AB46E0", which is |
|
6036 |
-suitable for doing serial-based OCSP queries (with OpenSSL, you have |
|
6037 |
-to prepend "0x" to the string). If something goes wrong while reading |
|
6035 |
+script. This is in the form of a decimal string like "933971680", which is |
|
6036 |
+suitable for doing serial-based OCSP queries (with OpenSSL, do not |
|
6037 |
+prepend "0x" to the string) If something goes wrong while reading |
|
6038 | 6038 |
the value from the certificate it will be an empty string, so your |
6039 | 6039 |
code should check that. |
6040 | 6040 |
See the contrib/OCSP_check/OCSP_check.sh script for an example. |