VPN: OpenVPN: Instances - (optional) ocsp check, fix "pass" criteria,…

… result should be good and verified. (opnsense#7082, opnsense#7114)

src/etc/inc/certs.inc

@@ -738,6 +738,7 @@ function ocsp_validate($ca_filename, $serial)
         }
     }
     if ($ocsp_uri !== null) {
+        $verdict_pass = false;
         $result = exec(
             exec_safe(
                 "/usr/bin/openssl ocsp -resp_no_certs -timeout 10 -nonce -CAfile %s -issuer %s -url %s -serial %s 2>&1",
@@ -746,12 +747,11 @@ function ocsp_validate($ca_filename, $serial)
             $output,
             $retval
         );
-        $verdict_pass = false;
         foreach ($output as $line) {
             if (str_starts_with($line, "{$serial}:")) {
-                $status = explode(':', $line, 2)[1];
+                $status = trim(explode(':', $line, 2)[1]);
                 return [
-                    'pass' => $status == 'good',
+                    'pass' => $status == 'good' && trim($output[0]) == 'Response verify OK',
                     'response' => $status,
                     'uri' => $ocsp_uri,
                     'verify' => $output[0]

src/opnsense/scripts/openvpn/tls_verify.php

@@ -43,9 +43,9 @@ function do_verify($serverid)
     }
     $certificate_depth = getenv('certificate_depth') !== false ? getenv('certificate_depth') : 0;
     $allowed_depth = !empty($a_server['cert_depth']) ? $a_server['cert_depth'] : 1;
-    if ($allowed_depth != null && ($certificate_depth > $allowed_depth)) {
+    if ($certificate_depth > $allowed_depth) {
         return "Certificate depth {$certificate_depth} exceeded max allowed depth of {$allowed_depth}.";
-    } elseif ($a_server['use_ocsp']) {
+    } elseif ($a_server['use_ocsp'] && $certificate_depth == 0) {
         $serial = getenv('tls_serial_' . $certificate_depth);
         $ocsp_response = ocsp_validate("/var/etc/openvpn/instance-" . $serverid . ".ca", $serial);
         if (!$ocsp_response['pass']) {