serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lieven Govaerts <...@mobsol.be>
Subject Re: Merge the ocsp-verification branch to trunk?
Date Thu, 26 Apr 2018 21:30:32 GMT
On 24 April 2018 at 14:28, Branko Čibej <brane@apache.org> wrote:

> On 20.01.2017 13:46, Branko Čibej wrote:
> > On 20.01.2017 13:38, Lieven Govaerts wrote:
> >> On Sat, Jan 14, 2017 at 5:39 PM, Branko Čibej <brane@apache.org> wrote:
> >>> I think the ocsp-verification branch is ready to be merged to trunk.
> >>> Here's the branch doc:
> >>>
> >>> https://svn.apache.org/repos/asf/serf/branches/ocsp-
> verification/BRANCH-README
> >>>
> >>>
> >>> I've succesfully integrated the OCSP request creation and response
> >>> verification into a fairly complex but, sadly, closed-source
> application
> >>> and tested it against OpenSSL's OCSP responder implementation.
> >>> Everything seems OK.
> >>>
> >>> Unfortunately, I'm not sure how to add unit tests for the actual
> request
> >>> creation and response parsing; any suggestions towards that would be
> >>> appreciated.
> >> I've started working on integrating "OCSP Stapling" in the mock HTTPS
> >> server in the test framework, but I didn't get very far yet.
> >>
> >> You can check current status in the test:
> >> test_ssl_ocsp_response_error_and_override :
> >>
> >> Basically you enable OCSP stapling support on the server with:
> >>
> >>     ConfigServerWithID("server", WithOCSPEnabled)
> >> That configures the ocspStatusCallback function to be used in the https
> server .
> >>
> >>
> >> And then start the OCSP responder with:
> >>    SetupOCSPResponder(WithPort(12345))
> >>
> >> You can then initiate the OCSP responder to respond in certain ways to
> >> incoming requests:
> >>       OCSPRequest(MatchAny)
> >>         Respond(WithOCSPResponseStatus(mhOCSPRespnseStatusInternalErr
> or))
> >>
> >>
> >> That's more or less where I got. To complete it, basically an OCSP
> >> request/response server needs to be implemented. Relevant functions
> >> are:
> >> ocspStatusCallback
> >> ocspCreateResponse
> >>
> >> I seem to remember that I used the OpenSSL OCSP test responder as
> >> example, but as you can see I didn't complete it.
> > Thanks, this is very useful.
>
> So I finally got to the point where I'm trying to use this to write some
> OCSP request tests. It seems that the ocspCreateResponse() function is
> somewhat naive ... for thorough testing, it would need access to at
> least the original OCSP request, in order to copy the nonce to the
> response, and a signing certificate in order to sign the response.
>

​Yeah, I certainly didn't get far in developing that test server.
Maybe it's easier for you to make something specific outside the test
framework?

Lieven


-- Brane
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message