summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjmc <>2017-01-24 09:39:43 +0000
committerjmc <>2017-01-24 09:39:43 +0000
commit03de1298174671da0080d2afb0d4eb14f04c039d (patch)
treeb69b78de977e49f3014f26a2011fb7449adf58ac /src
parent8d8d003de90a8c496935e790bd5a000eac5f7835 (diff)
downloadopenbsd-03de1298174671da0080d2afb0d4eb14f04c039d.tar.gz
openbsd-03de1298174671da0080d2afb0d4eb14f04c039d.tar.bz2
openbsd-03de1298174671da0080d2afb0d4eb14f04c039d.zip
various cleanup;
Diffstat (limited to 'src')
-rw-r--r--src/usr.sbin/ocspcheck/ocspcheck.855
-rw-r--r--src/usr.sbin/ocspcheck/ocspcheck.c2
2 files changed, 28 insertions, 29 deletions
diff --git a/src/usr.sbin/ocspcheck/ocspcheck.8 b/src/usr.sbin/ocspcheck/ocspcheck.8
index 6b131416aa..a2ca8d6694 100644
--- a/src/usr.sbin/ocspcheck/ocspcheck.8
+++ b/src/usr.sbin/ocspcheck/ocspcheck.8
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ocspcheck.8,v 1.2 2017/01/24 08:54:23 beck Exp $ 1.\" $OpenBSD: ocspcheck.8,v 1.3 2017/01/24 09:39:43 jmc Exp $
2.\" 2.\"
3.\" Copyright (c) 2017 Bob Beck <beck@openbsd.org> 3.\" Copyright (c) 2017 Bob Beck <beck@openbsd.org>
4.\" 4.\"
@@ -19,18 +19,18 @@
19.Os 19.Os
20.Sh NAME 20.Sh NAME
21.Nm ocspcheck 21.Nm ocspcheck
22.Nd Check a certificate for validity against its OSCP responder 22.Nd check a certificate for validity against its OSCP responder
23.Sh SYNOPSIS 23.Sh SYNOPSIS
24.Nm 24.Nm
25.Op Fl vN 25.Op Fl Nv
26.Op Fl o Ar staplefile
27.Op Fl C Ar CAfile 26.Op Fl C Ar CAfile
27.Op Fl o Ar staplefile
28.Ar file 28.Ar file
29.Sh DESCRIPTION 29.Sh DESCRIPTION
30The 30The
31.Nm 31.Nm
32utility validates a PEM format certificate against the OCSP responder 32utility validates a PEM format certificate against the OCSP responder
33encoded in the certificate that is specified by the 33encoded in the certificate specified by the
34.Ar file 34.Ar file
35argument. 35argument.
36Normally it should be used for checking server certificates 36Normally it should be used for checking server certificates
@@ -39,20 +39,12 @@ and maintaining saved OCSP responses to be used for OCSP stapling.
39The options are as follows: 39The options are as follows:
40.Bl -tag -width Ds 40.Bl -tag -width Ds
41.It Fl C Ar CAfile 41.It Fl C Ar CAfile
42Specify a PEM formatted root certificate bundle to use for the validation of 42Specify a PEM format root certificate bundle to use for the validation of
43requests. 43requests.
44By default no certificates are used beyond those in the 44By default no certificates are used beyond those in the
45certificate chain provided by the 45certificate chain provided by the
46.Ar file 46.Ar file
47argument. 47argument.
48.It Fl o Ar staplefile
49Specify an output filename where the DER encoded response from the
50OCSP server will be written, if the OCSP response validates.
51A filename
52of
53.Ar -
54will write the response to standard output. By default the response
55is not saved.
56.It Fl N 48.It Fl N
57Do not use a nonce value in the OCSP request, or validate that the 49Do not use a nonce value in the OCSP request, or validate that the
58nonce was returned in the OCSP response. 50nonce was returned in the OCSP response.
@@ -61,28 +53,35 @@ The use of this flag is a security risk as it will allow OCSP
61responses to be replayed. 53responses to be replayed.
62It should not be used unless the OCSP server does not support the 54It should not be used unless the OCSP server does not support the
63use of OCSP nonces. 55use of OCSP nonces.
56.It Fl o Ar staplefile
57Specify an output filename where the DER encoded response from the
58OCSP server will be written, if the OCSP response validates.
59A filename
60of
61.Sq -
62will write the response to standard output.
63By default the response is not saved.
64.It Fl v 64.It Fl v
65Increase verbosity. 65Increase verbosity.
66This flag may be specified multiple times to get more verbose output. 66This flag may be specified multiple times to get more verbose output.
67The default behaviour is to be silent unless something goes wrong. 67The default behaviour is to be silent unless something goes wrong.
68.El
68.Sh EXIT STATUS 69.Sh EXIT STATUS
70The
69.Nm 71.Nm
70exits 0 if the OCSP response validates for the 72utility exits 0 if the OCSP response validates for the certificate in
71certificate in
72.Ar file 73.Ar file
73and all output is successfully written out. 74and all output is successfully written out,
74Otherwise 75and >0 if an error occurs.
75.Nm
76will exit >0.
77.Sh SEE ALSO 76.Sh SEE ALSO
78.Xr httpd 8 ,
79.Xr nc 1 , 77.Xr nc 1 ,
80.Xr tls_config_set_ocsp_staple_mem 3 ,
81.Xr tls_config_set_ocsp_staple_file 3 , 78.Xr tls_config_set_ocsp_staple_file 3 ,
82.Sh BUGS 79.Xr tls_config_set_ocsp_staple_mem 3 ,
80.Xr httpd 8
81.Sh AUTHORS
83.Nm 82.Nm
84will create the output file if it does not exist. 83was written by
85On failure a newly created output file will not be removed. 84.An Bob Beck .
86.Sh CAVEATS 85.Sh CAVEATS
87While 86While
88.Nm 87.Nm
@@ -91,7 +90,7 @@ certificates seen on client connections, this is almost always a bad
91idea. 90idea.
92God kills a kitten every time you make an OCSP query from the 91God kills a kitten every time you make an OCSP query from the
93client side of a TLS connection. 92client side of a TLS connection.
94.Sh AUTHORS 93.Sh BUGS
95.Nm 94.Nm
96was written by 95will create the output file if it does not exist.
97.An Bob Beck 96On failure a newly created output file will not be removed.
diff --git a/src/usr.sbin/ocspcheck/ocspcheck.c b/src/usr.sbin/ocspcheck/ocspcheck.c
index 77fc4e5939..c19ecf4f05 100644
--- a/src/usr.sbin/ocspcheck/ocspcheck.c
+++ b/src/usr.sbin/ocspcheck/ocspcheck.c
@@ -499,7 +499,7 @@ validate_response(char *buf, size_t size, ocsp_request *request,
499static void 499static void
500usage(void) 500usage(void)
501{ 501{
502 errx(1, "Usage: %s [-N] [-v] [-o staplefile] certfile", getprogname()); 502 errx(1, "usage: %s [-Nv] [-C CAfile] [-o staplefile] file", getprogname());
503} 503}
504 504
505int 505int
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 05:24:54 +0000