serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Branko Čibej <>
Subject Re: Merge the ocsp-verification branch to trunk?
Date Tue, 24 Apr 2018 12:28:30 GMT
On 20.01.2017 13:46, Branko Čibej wrote:
> On 20.01.2017 13:38, Lieven Govaerts wrote:
>> On Sat, Jan 14, 2017 at 5:39 PM, Branko Čibej <> wrote:
>>> I think the ocsp-verification branch is ready to be merged to trunk.
>>> Here's the branch doc:
>>> I've succesfully integrated the OCSP request creation and response
>>> verification into a fairly complex but, sadly, closed-source application
>>> and tested it against OpenSSL's OCSP responder implementation.
>>> Everything seems OK.
>>> Unfortunately, I'm not sure how to add unit tests for the actual request
>>> creation and response parsing; any suggestions towards that would be
>>> appreciated.
>> I've started working on integrating "OCSP Stapling" in the mock HTTPS
>> server in the test framework, but I didn't get very far yet.
>> You can check current status in the test:
>> test_ssl_ocsp_response_error_and_override :
>> Basically you enable OCSP stapling support on the server with:
>>     ConfigServerWithID("server", WithOCSPEnabled)
>> That configures the ocspStatusCallback function to be used in the https server .
>> And then start the OCSP responder with:
>>    SetupOCSPResponder(WithPort(12345))
>> You can then initiate the OCSP responder to respond in certain ways to
>> incoming requests:
>>       OCSPRequest(MatchAny)
>>         Respond(WithOCSPResponseStatus(mhOCSPRespnseStatusInternalError))
>> That's more or less where I got. To complete it, basically an OCSP
>> request/response server needs to be implemented. Relevant functions
>> are:
>> ocspStatusCallback
>> ocspCreateResponse
>> I seem to remember that I used the OpenSSL OCSP test responder as
>> example, but as you can see I didn't complete it.
> Thanks, this is very useful.

So I finally got to the point where I'm trying to use this to write some
OCSP request tests. It seems that the ocspCreateResponse() function is
somewhat naive ... for thorough testing, it would need access to at
least the original OCSP request, in order to copy the nonce to the
response, and a signing certificate in order to sign the response.

-- Brane

View raw message