Commit 7d5e26cbb53 fixed extracting serial but did not change the format,
which always has been decimal. This patch fixes the manpage and
OSCP.sh script to conform with the implementation.
---
contrib/OCSP_check/OCSP_check.sh | 2 +-
doc/openvpn.8 | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh
index 847be45..7e9e1e8 100644
--- a/contrib/OCSP_check/OCSP_check.sh
+++ b/contrib/OCSP_check/OCSP_check.sh
@@ -97,7 +97,7 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth
]; then
"$nonce" \
-CAfile "$verify" \
-url "$ocsp_url" \
- -serial "0x${serial}" 2>/dev/null)
+ -serial "${serial}" 2>/dev/null)
if [ $? -eq 0 ]; then
# check that it's good
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 3a58317..6dc3f87 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -6080,9 +6080,9 @@ where
is the verification level. Only set for TLS connections. Set prior
to execution of
.B \-\-tls-verify
-script. This is in the form of a hex string like "37AB46E0", which is
-suitable for doing serial-based OCSP queries (with OpenSSL, you have
-to prepend "0x" to the string). If something goes wrong while reading
+script. This is in the form of a decimal string like "933971680", which is
+suitable for doing serial-based OCSP queries (with OpenSSL, do not
+prepend "0x" to the string) If something goes wrong while reading
the value from the certificate it will be an empty string, so your
code should check that.
See the contrib/OCSP_check/OCSP_check.sh script for an example.
--
1.8.5.2 (Apple Git-48)
