From 20df12e5f70bb9a05de4cf3b5432166905d3f281 Mon Sep 17 00:00:00 2001 From: Andras Fekete Date: Wed, 14 Jun 2023 09:20:06 -0400 Subject: [PATCH 1/2] This should add a check to make sure the server is up before connecting --- certs/ocsp/renewcerts.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 22103c4d0..e7222533e 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -80,10 +80,23 @@ update_cert server3 "www3.wolfssl.com" intermediate2-ca update_cert server4 "www4.wolfssl.com" intermediate2-ca v3_req2 08 # REVOKED update_cert server5 "www5.wolfssl.com" intermediate3-ca v3_req3 09 +wait_server_ready() { + MAX_TIMEOUT=10 + PORT=$1 + until nc -z localhost $PORT # Wait for openssl to be ready + do + sleep 0.05 + if [ "$MAX_TIMEOUT" == "0" ]; then + break + fi + ((MAX_TIMEOUT--)) + done +} # Create response DER buffer for test openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -partial_chain & PID=$! +wait_server_ready 22221 openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der -noverify openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern -noverify @@ -95,6 +108,7 @@ wait $PID # now start up a responder that signs using rsa-pss openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss & PID=$! +wait_server_ready 22221 openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der -noverify # can verify with the following command From 76cf3d61a02f4649c23365ef833a158521a4011d Mon Sep 17 00:00:00 2001 From: Andras Fekete Date: Wed, 14 Jun 2023 09:54:23 -0400 Subject: [PATCH 2/2] Calling 'nc' makes the server unresponsive --- certs/ocsp/renewcerts.sh | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index e7222533e..2f3fb3318 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -80,23 +80,10 @@ update_cert server3 "www3.wolfssl.com" intermediate2-ca update_cert server4 "www4.wolfssl.com" intermediate2-ca v3_req2 08 # REVOKED update_cert server5 "www5.wolfssl.com" intermediate3-ca v3_req3 09 -wait_server_ready() { - MAX_TIMEOUT=10 - PORT=$1 - until nc -z localhost $PORT # Wait for openssl to be ready - do - sleep 0.05 - if [ "$MAX_TIMEOUT" == "0" ]; then - break - fi - ((MAX_TIMEOUT--)) - done -} - # Create response DER buffer for test openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -partial_chain & PID=$! -wait_server_ready 22221 +sleep 1 # Make sure server is ready openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der -noverify openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern -noverify @@ -108,7 +95,7 @@ wait $PID # now start up a responder that signs using rsa-pss openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss & PID=$! -wait_server_ready 22221 +sleep 1 # Make sure server is ready openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der -noverify # can verify with the following command