HomePhabricator
Diffusion Wikimedia Puppet 367653244eeb

update-ocsp: refactor validation, check cert life
367653244eeb
Actions

Description

update-ocsp: refactor validation, check cert life

The functional highlights here are:

  1. We now ask openssl for the text output in the same command that

stores the binary response to disk.

  1. Command executions split stderr and stdout for easier parsing.
  1. OpenSSL stderr is parsed for an explicit "Response verify OK"

rather than relying solely on an exit status of zero.

  1. OCSP Windows are checked from the initial text output, rather

than as a second command reading from the stored binary response.

  1. The signing cert's validity is checked, causing failure if:
    • "Not Before" > 60s in the future
    • "Not After" < 1h in the future
    • "Not After" earlier than any OCSP Window end time (which is usually 12h in the future)

certs_fetch_ocsp() is now an overlong function that's not ideally
factored, but we'll deal with this in the rewrite as a daemon in
ticket T93927, as many details about the handling of date windows
will change in that model anyways.

Bug: T109737
Bug: T109738
Change-Id: Ide511688caa9ea3d0dd0bf18687d98237a3c4949

Details

Provenance
BBlackAuthored on
Parents
rOPUPf3c7f50d8ecb: Added a live-migrate script to wrap nova's standard block-migrate.
Branches
Unknown
Tags
Unknown
ChangeId
Ide511688caa9ea3d0dd0bf18687d98237a3c4949

Changes (1)

PathSize
modules/
sslcert/
files/

rOPUP367653244eeb

View Options

modules/sslcert/files/update-ocsp

Loading...
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL