mirror of
https://github.com/openbsd/src.git
synced 2025-01-10 06:47:55 -08:00
112 lines
3.4 KiB
Groff
112 lines
3.4 KiB
Groff
.\" $OpenBSD: ocspcheck.8,v 1.9 2017/11/29 21:15:45 jmc Exp $
|
|
.\"
|
|
.\" Copyright (c) 2017 Bob Beck <beck@openbsd.org>
|
|
.\"
|
|
.\" Permission to use, copy, modify, and distribute this software for any
|
|
.\" purpose with or without fee is hereby granted, provided that the above
|
|
.\" copyright notice and this permission notice appear in all copies.
|
|
.\"
|
|
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
.\"
|
|
.Dd $Mdocdate: November 29 2017 $
|
|
.Dt OCSPCHECK 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm ocspcheck
|
|
.Nd check a certificate for validity against its OCSP responder
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl Nv
|
|
.Op Fl C Ar CAfile
|
|
.Op Fl i Ar staplefile
|
|
.Op Fl o Ar staplefile
|
|
.Ar file
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
utility validates a PEM format certificate against the OCSP responder
|
|
encoded in the certificate specified by the
|
|
.Ar file
|
|
argument.
|
|
Normally it should be used for checking server certificates
|
|
and maintaining saved OCSP responses to be used for OCSP stapling.
|
|
.Pp
|
|
The options are as follows:
|
|
.Bl -tag -width Ds
|
|
.It Fl C Ar CAfile
|
|
Specify a PEM format root certificate bundle to use for the validation of
|
|
requests.
|
|
By default no certificates are used beyond those in the
|
|
certificate chain provided by the
|
|
.Ar file
|
|
argument.
|
|
.It Fl i Ar staplefile
|
|
Specify an input filename from which a DER-encoded OCSP response
|
|
will be read instead of fetching it from the OCSP server.
|
|
A filename
|
|
of
|
|
.Sq -
|
|
will read the response from standard input.
|
|
.It Fl N
|
|
Do not use a nonce value in the OCSP request, or validate that the
|
|
nonce was returned in the OCSP response.
|
|
By default a nonce is always used and validated when retrieving
|
|
a response from an OCSP server.
|
|
The use of this flag is a security risk as it will allow OCSP
|
|
responses to be replayed.
|
|
It should not be used unless the OCSP server does not support the
|
|
use of OCSP nonces.
|
|
.It Fl o Ar staplefile
|
|
Specify an output filename where the DER encoded response from the
|
|
OCSP server will be written, if the OCSP response validates.
|
|
A filename
|
|
of
|
|
.Sq -
|
|
will write the response to standard output.
|
|
By default the response is not saved.
|
|
.It Fl v
|
|
Increase verbosity.
|
|
This flag may be specified multiple times to get more verbose output.
|
|
The default behaviour is to be silent unless something goes wrong.
|
|
.El
|
|
.Sh EXIT STATUS
|
|
The
|
|
.Nm
|
|
utility exits 0 if the OCSP response validates for the certificate in
|
|
.Ar file
|
|
and all output is successfully written out.
|
|
.Nm
|
|
exits >0 if an error occurs or the OCSP response fails to validate.
|
|
.Sh SEE ALSO
|
|
.Xr nc 1 ,
|
|
.Xr tls_config_set_ocsp_staple_file 3 ,
|
|
.Xr tls_config_set_ocsp_staple_mem 3 ,
|
|
.Xr httpd 8
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
utility first appeared in
|
|
.Ox 6.1 .
|
|
.Sh AUTHORS
|
|
.Nm
|
|
was written by
|
|
.An Bob Beck .
|
|
.Sh CAVEATS
|
|
While
|
|
.Nm
|
|
could possibly be used in scripts to query responders for server
|
|
certificates seen on client connections, this is almost always a bad
|
|
idea.
|
|
God kills a kitten every time you make an OCSP query from the
|
|
client side of a TLS connection.
|
|
.Sh BUGS
|
|
.Nm
|
|
will create the output file if it does not exist.
|
|
On failure a newly created output file will not be removed.
|