The syntax of openssl ocsp -header option has been changed in OpenSSL
1.1.0. And it now does not require -header option anymore. It looks
like that it is workaround for 1.0.x versions.
With OpenSSL <= 1.0.1, openssl ocsp command still returns exit code 0,
even if verification was failed. If that happens certain string is
emitted in stderr, so check that string and if exists, treat it as
error. This issue was fixed in OpenSSL 1.0.2.
At least OpenSSL 1.0.2, openssl ocsp command still returns exit code
0, even if responder returned non-successful status code (e.g.,
trylater(3)). We are not sure this is intentional or not. To handle
this, we again check certain error string in stdout, and if it is
found, treat it as error.
Tatsuhiro Tsujikawa
Peter Wu