serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lieven Govaerts <...@mobsol.be>
Subject Re: Merge the ocsp-verification branch to trunk?
Date Fri, 20 Jan 2017 12:38:28 GMT
On Sat, Jan 14, 2017 at 5:39 PM, Branko ─îibej <brane@apache.org> wrote:
>
> I think the ocsp-verification branch is ready to be merged to trunk.
> Here's the branch doc:
>
> https://svn.apache.org/repos/asf/serf/branches/ocsp-verification/BRANCH-README
>
>
> I've succesfully integrated the OCSP request creation and response
> verification into a fairly complex but, sadly, closed-source application
> and tested it against OpenSSL's OCSP responder implementation.
> Everything seems OK.
>
> Unfortunately, I'm not sure how to add unit tests for the actual request
> creation and response parsing; any suggestions towards that would be
> appreciated.


I've started working on integrating "OCSP Stapling" in the mock HTTPS
server in the test framework, but I didn't get very far yet.

You can check current status in the test:
test_ssl_ocsp_response_error_and_override :

Basically you enable OCSP stapling support on the server with:

    ConfigServerWithID("server", WithOCSPEnabled)
That configures the ocspStatusCallback function to be used in the https server .


And then start the OCSP responder with:
   SetupOCSPResponder(WithPort(12345))

You can then initiate the OCSP responder to respond in certain ways to
incoming requests:
      OCSPRequest(MatchAny)
        Respond(WithOCSPResponseStatus(mhOCSPRespnseStatusInternalError))


That's more or less where I got. To complete it, basically an OCSP
request/response server needs to be implemented. Relevant functions
are:
ocspStatusCallback
ocspCreateResponse

I seem to remember that I used the OpenSSL OCSP test responder as
example, but as you can see I didn't complete it.

>
> However, I don't think the lack of tests should block the
> merge to trunk; tests can always be written later, and in the meantime
> you can take my word for it that it works. :)

He, luckily we know you :) .

Lieven

> -- Brane

Mime
View raw message