jinql
/
openssl-patch
mirror of https://github.com/hakasenyang/openssl-patch
1
0
Fork 0
Code Issues Releases Wiki Activity

nginx ocsp test

pull/17/head
Hakase 2019-04-02 17:06:36 +09:00
parent ca1b2c5829
commit 1b2097f40e
No known key found for this signature in database
GPG Key ID: BB2821A9E0DF48C9
2 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -70,6 +70,7 @@ Example of setting TLS 1.3 cipher in nginx:
| nginx_hpack_remove_server_header_1.15.3.patch | HPACK + Remove nginx server header. (http2, http1.1) |
| nginx_strict-sni.patch | Enable **Strict-SNI**. Thanks [@JemmyLoveJenny](https://github.com/JemmyLoveJenny). [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-421551872) |
| nginx_openssl-1.1.x_renegotiation_bugfix.patch | Bugfix **Secure Client-Initiated Renegotiation**. (Check testssl.sh) OpenSSL >= 1.1.x, nginx = 1.15.4<br>[Patched nginx 1.15.5](https://github.com/nginx/nginx/commit/53803b4780be15d8014be183d4161091fd5f3376) |
| nginx_ocsp.sh | Some of the parts that can not get OCSP Stapling value at nginx start or reload are solved.<br>OCSP stapling in nginx is made up of a callback, so you only need to connect at least once to get the value.<br>This file is a temporary file and may not work normally. |
## How To Use?

44
nginx_ocsp.sh Executable file
View File

@ -0,0 +1,44 @@
#!/bin/bash
gets() {
if [ ! -z "$2" ]; then
port=$2
else
port=443
fi
echo QUIT | openssl s_client -connect 127.0.0.1:${2} -servername ${1} -tls1_2 -cipher ECDH -status > /dev/null 2>&1
echo QUIT | openssl s_client -connect 127.0.0.1:${2} -servername ${1} -tls1_2 -cipher aRSA:RSA -status > /dev/null 2>&1
}
file=`find /etc/nginx -name "*.conf"`
for names in $file; do
# csplit source : https://stackoverflow.com/questions/9634953/how-to-split-a-nginx-virtual-host-config-file-into-small-ones-using-shell/38635284
rm /tmp/ngx_ocsp*.tmp > /dev/null 2>&1
csplit -z -f /tmp/ngx_ocsp -b %d.tmp $names '/^\s*server\s*{*$/' {*} > /dev/null 2>&1
for i in /tmp/ngx_ocsp*.tmp; do
result=`grep -oP '(?<=server_name ).+(?=;)' $i`
if [ ! -z "$result" ]; then
port=`grep -oP '(?<=listen ).+(?=ssl).+(?=;)' $i`
new_name=`echo $result|awk '{print $1}'`
new_name=${new_name%';'}
port=`echo $port|sed 's/[^0-9]/ /g'|awk '{print $1}'`
port=${port%';'}
if [ ! -z "$port" ]; then
hosts=(${hosts[@]} $new_name:$port)
fi
fi
done
done
rm /rmp/ocsp*.tmp > /dev/null 2>&1
FINALS=`echo ${hosts[@]} | tr " " "\n" | sed -e "s/^*//g" | sed -e "s/*/wildcards/g" | sed "/\\\#/d" | sed "/localhost/d" | sort -u`
for conn in $FINALS; do
data1=`echo $conn | awk -F: '{print $1}'`
data2=`echo $conn | awk -F: '{print $2}'`
echo OCSP : $data1 - $data2
gets $data1 $data2
done