On Sat, May 16, 2015 at 10:39 AM, Daniel Ruggeri <drugg...@primary.net> wrote:
> +1, but I would also propose a command line flag to override the SNI host > name supplied in case one is testing directly by IP address. > in that case shouldn't you also be overriding Host:, so the SNI host name can use the same override? I think this may lead the user into a more helpful scenario, if indeed they don't already know when to override Host:, and I don't know how useful it is to have different values for Host: and SNI. > -- > Daniel Ruggeri > > ------------------------------ > *From:* Jeff Trawick <traw...@gmail.com> > *Sent:* May 12, 2015 2:31:37 PM CDT > *To:* Apache HTTP Server Development List <dev@httpd.apache.org> > *Subject:* silly ab patch for SNI and OCSP stapling > > ... where "OCSP stapling" means "get the server to do the related work > but don't care what you get back". > > Perhaps this doesn't save any time for anybody that would want to test > such a thing, but who knows? > > Index: support/ab.c > ------------------------------ > > --- support/ab.c (revision 1679028) > +++ support/ab.c (working copy) > @@ -1287,6 +1287,8 @@ > bio = BIO_new_socket(fd, BIO_NOCLOSE); > SSL_set_bio(c->ssl, bio, bio); > SSL_set_connect_state(c->ssl); > + SSL_set_tlsext_host_name(c->ssl, hostname); > + SSL_set_tlsext_status_type(c->ssl, TLSEXT_STATUSTYPE_ocsp); > if (verbosity >= 4) { > BIO_set_callback(bio, ssl_print_cb); > BIO_set_callback_arg(bio, (void *)bio_err); > > The lack of SNI is a pretty big hole now; it probably doesn't need much > extra in the way of #if/if to do the right thing. > > -- Born in Roswell... married an alien... http://emptyhammock.com/