Merge pull request #256 from tohn/master

serverco · web-flow · commit 9729c98d4bcc · 2017-02-18T13:20:29.000Z
Add OCSP Must-Staple
diff --git a/getssl b/getssl
@@ -183,10 +183,11 @@
 # 2017-01-29 issue #232 use neutral locale for date formatting (2.07)
 # 2017-01-30 issue #243 compatibility with bash 3.0 (2.08)
 # 2017-01-30 issue #243 additional compatibility with bash 3.0 (2.09)
+# 2017-02-18 add OCSP Must-Staple to the domain csr generation (2.10)
 # ----------------------------------------------------------------------------------------
 
 PROGNAME=${0##*/}
-VERSION="2.09"
+VERSION="2.10"
 
 # defaults
 ACCOUNT_KEY_LENGTH=4096
@@ -218,6 +219,7 @@ REUSE_PRIVATE_KEY="true"
 SERVER_TYPE="https"
 SKIP_HTTP_TOKEN_CHECK="false"
 SSLCONF="$(openssl version -d 2>/dev/null| cut -d\" -f2)/openssl.cnf"
+OCSP_MUST_STAPLE="false"
 TEMP_UPGRADE_FILE=""
 TOKEN_USER_ID=""
 USE_SINGLE_ACL="false"
@@ -620,6 +622,11 @@ create_csr() { # create a csr using a given key (if it doesn't already exist)
     tmp_conf=$(mktemp)
     cat "$SSLCONF" > "$tmp_conf"
     printf "[SAN]\n%s" "$SANLIST" >> "$tmp_conf"
+    # add OCSP Must-Staple to the domain csr
+    # if openssl version >= 1.1.0 one can also use "tlsfeature = status_request"
+    if [[ "$OCSP_MUST_STAPLE" == "true" ]]; then
+      printf "\n1.3.6.1.5.5.7.1.24 = DER:30:03:02:01:05" >> "$tmp_conf"
+    fi
     openssl req -new -sha256 -key "$csr_key" -subj "$CSR_SUBJECT" -reqexts SAN -config "$tmp_conf" > "$csr_file"
     rm -f "$tmp_conf"
   fi
