dehydrated icon indicating copy to clipboard operation
dehydrated copied to clipboard

Published 20 hours ago verified publisher icon dehydrated-io

Proxy-option for openssl-ocsp stapling

Open NiceRath opened this issue 1 year ago • 4 comments

Greetings!

This PR adds the missing proxy functionality for the openssl 'ocsp_log' call. See issue: https://github.com/dehydrated-io/dehydrated/issues/838

What does it do? It checks if a proxy is set in the environment variables and uses it for the ocsp-call if so.

- Rath

NiceRath avatar Jun 14 '23 07:06 NiceRath

wouldn't it be easier/cleaner to use the -proxy option to openssl-ocsp?

bllfr0g avatar Jun 14 '23 14:06 bllfr0g

Greetings!

I thought so too - but It seems not all OpenSSL packages have this functionality implemented. That's probably why the problem occurs in the first place..

Per example when using OpenSSL '1.1.1n-0+deb11u4' one gets the following error: ERROR: Error while fetching OCSP information: ocsp: Unrecognized flag proxy

- Rath

NiceRath avatar Jun 15 '23 06:06 NiceRath

good point! Looks like -proxy was added about two years ago, so your change will work in more places.

https://github.com/openssl/openssl/commit/88d96983d881254d0bcb36d79b32aac08339e0d3

bllfr0g avatar Jun 15 '23 13:06 bllfr0g

It seems there is an issue with my solution. 'set -u' currently stops the scripts execution if the environmental proxy-variables are unset. I'll test it and add a fix to the PR.

- Rath

NiceRath avatar Jul 07 '23 11:07 NiceRath