serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Branko Čibej <>
Subject Re: Merge the ocsp-verification branch to trunk?
Date Fri, 27 Apr 2018 08:47:04 GMT
On 26.04.2018 23:30, Lieven Govaerts wrote:
> On 24 April 2018 at 14:28, Branko Čibej <> wrote:
>> On 20.01.2017 13:46, Branko Čibej wrote:
>>> On 20.01.2017 13:38, Lieven Govaerts wrote:
>>>> On Sat, Jan 14, 2017 at 5:39 PM, Branko Čibej <> wrote:
>>>>> I think the ocsp-verification branch is ready to be merged to trunk.
>>>>> Here's the branch doc:
>> verification/BRANCH-README
>>>>> I've succesfully integrated the OCSP request creation and response
>>>>> verification into a fairly complex but, sadly, closed-source
>> application
>>>>> and tested it against OpenSSL's OCSP responder implementation.
>>>>> Everything seems OK.
>>>>> Unfortunately, I'm not sure how to add unit tests for the actual
>> request
>>>>> creation and response parsing; any suggestions towards that would be
>>>>> appreciated.
>>>> I've started working on integrating "OCSP Stapling" in the mock HTTPS
>>>> server in the test framework, but I didn't get very far yet.
>>>> You can check current status in the test:
>>>> test_ssl_ocsp_response_error_and_override :
>>>> Basically you enable OCSP stapling support on the server with:
>>>>     ConfigServerWithID("server", WithOCSPEnabled)
>>>> That configures the ocspStatusCallback function to be used in the https
>> server .
>>>> And then start the OCSP responder with:
>>>>    SetupOCSPResponder(WithPort(12345))
>>>> You can then initiate the OCSP responder to respond in certain ways to
>>>> incoming requests:
>>>>       OCSPRequest(MatchAny)
>>>>         Respond(WithOCSPResponseStatus(mhOCSPRespnseStatusInternalErr
>> or))
>>>> That's more or less where I got. To complete it, basically an OCSP
>>>> request/response server needs to be implemented. Relevant functions
>>>> are:
>>>> ocspStatusCallback
>>>> ocspCreateResponse
>>>> I seem to remember that I used the OpenSSL OCSP test responder as
>>>> example, but as you can see I didn't complete it.
>>> Thanks, this is very useful.
>> So I finally got to the point where I'm trying to use this to write some
>> OCSP request tests. It seems that the ocspCreateResponse() function is
>> somewhat naive ... for thorough testing, it would need access to at
>> least the original OCSP request, in order to copy the nonce to the
>> response, and a signing certificate in order to sign the response.
> ​Yeah, I certainly didn't get far in developing that test server.
> Maybe it's easier for you to make something specific outside the test
> framework?

Actually I'm on a simpler track. Since the responsibility for issuing
OCSP requests is the application's, not Serf proper, there's really no
point in using the MockHTTP server as an OCSP responder for that. I'm
simply going to write a helper function for the tests that creates a
response for a given request, and test the parsing/verification code
with that.

-- Brane

View raw message