There are few serious issues with the OCSP_check.sh script: 1. It will accept OCSP responses with bad signatures 2. It may accept OCSP old responses as currently valid
detailed description on bug tracker: https://community.openvpn.net/openvpn/ticket/450#ticket Pull request with fixes: https://github.com/OpenVPN/openvpn/pull/17 -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: hka...@redhat.com Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic