Hi Hubert, On 23-09-14 14:45, Hubert Kario wrote: > There are few serious issues with the OCSP_check.sh script: > 1. It will accept OCSP responses with bad signatures > 2. It may accept OCSP old responses as currently valid > > detailed description on bug tracker: > https://community.openvpn.net/openvpn/ticket/450#ticket > > Pull request with fixes: > https://github.com/OpenVPN/openvpn/pull/17
Thanks. OpenVPN uses a patch review mechanism that requires all patches to be sent to this mailinglist (see http://community.openvpn.net/openvpn/wiki/DeveloperDocumentation). Could you pleases send your suggested changes (as one or two patches) to this mailinglist? (git format-patch is your friend). Once the patches are on the mailinglist, we can do the final code review. Anticipating on the actual review, your suggested changes sound good to me. Normally we'd have to be careful not to break existing setups, but since this script has been broken for quite a while (and has only been fixed recently) it appears to be not used very often. So I think it is fine to change the behaviour like this. -Steffan
