serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Branko ─îibej <br...@apache.org>
Subject Re: Merge the ocsp-verification branch to trunk?
Date Fri, 20 Jan 2017 12:46:36 GMT
On 20.01.2017 13:38, Lieven Govaerts wrote:
> On Sat, Jan 14, 2017 at 5:39 PM, Branko ─îibej <brane@apache.org> wrote:
>> I think the ocsp-verification branch is ready to be merged to trunk.
>> Here's the branch doc:
>>
>> https://svn.apache.org/repos/asf/serf/branches/ocsp-verification/BRANCH-README
>>
>>
>> I've succesfully integrated the OCSP request creation and response
>> verification into a fairly complex but, sadly, closed-source application
>> and tested it against OpenSSL's OCSP responder implementation.
>> Everything seems OK.
>>
>> Unfortunately, I'm not sure how to add unit tests for the actual request
>> creation and response parsing; any suggestions towards that would be
>> appreciated.
>
> I've started working on integrating "OCSP Stapling" in the mock HTTPS
> server in the test framework, but I didn't get very far yet.
>
> You can check current status in the test:
> test_ssl_ocsp_response_error_and_override :
>
> Basically you enable OCSP stapling support on the server with:
>
>     ConfigServerWithID("server", WithOCSPEnabled)
> That configures the ocspStatusCallback function to be used in the https server .
>
>
> And then start the OCSP responder with:
>    SetupOCSPResponder(WithPort(12345))
>
> You can then initiate the OCSP responder to respond in certain ways to
> incoming requests:
>       OCSPRequest(MatchAny)
>         Respond(WithOCSPResponseStatus(mhOCSPRespnseStatusInternalError))
>
>
> That's more or less where I got. To complete it, basically an OCSP
> request/response server needs to be implemented. Relevant functions
> are:
> ocspStatusCallback
> ocspCreateResponse
>
> I seem to remember that I used the OpenSSL OCSP test responder as
> example, but as you can see I didn't complete it.

Thanks, this is very useful.

>> However, I don't think the lack of tests should block the
>> merge to trunk; tests can always be written later, and in the meantime
>> you can take my word for it that it works. :)
> He, luckily we know you :) .

You hope. :)

-- Brane


Mime
View raw message