On 24 April 2018 at 14:28, Branko Čibej <br...@apache.org> wrote: > On 20.01.2017 13:46, Branko Čibej wrote: > > On 20.01.2017 13:38, Lieven Govaerts wrote: > >> On Sat, Jan 14, 2017 at 5:39 PM, Branko Čibej <br...@apache.org> wrote: > >>> I think the ocsp-verification branch is ready to be merged to trunk. > >>> Here's the branch doc: > >>> > >>> https://svn.apache.org/repos/asf/serf/branches/ocsp- > verification/BRANCH-README > >>> > >>> > >>> I've succesfully integrated the OCSP request creation and response > >>> verification into a fairly complex but, sadly, closed-source > application > >>> and tested it against OpenSSL's OCSP responder implementation. > >>> Everything seems OK. > >>> > >>> Unfortunately, I'm not sure how to add unit tests for the actual > request > >>> creation and response parsing; any suggestions towards that would be > >>> appreciated. > >> I've started working on integrating "OCSP Stapling" in the mock HTTPS > >> server in the test framework, but I didn't get very far yet. > >> > >> You can check current status in the test: > >> test_ssl_ocsp_response_error_and_override : > >> > >> Basically you enable OCSP stapling support on the server with: > >> > >> ConfigServerWithID("server", WithOCSPEnabled) > >> That configures the ocspStatusCallback function to be used in the https > server . > >> > >> > >> And then start the OCSP responder with: > >> SetupOCSPResponder(WithPort(12345)) > >> > >> You can then initiate the OCSP responder to respond in certain ways to > >> incoming requests: > >> OCSPRequest(MatchAny) > >> Respond(WithOCSPResponseStatus(mhOCSPRespnseStatusInternalErr > or)) > >> > >> > >> That's more or less where I got. To complete it, basically an OCSP > >> request/response server needs to be implemented. Relevant functions > >> are: > >> ocspStatusCallback > >> ocspCreateResponse > >> > >> I seem to remember that I used the OpenSSL OCSP test responder as > >> example, but as you can see I didn't complete it. > > Thanks, this is very useful. > > So I finally got to the point where I'm trying to use this to write some > OCSP request tests. It seems that the ocspCreateResponse() function is > somewhat naive ... for thorough testing, it would need access to at > least the original OCSP request, in order to copy the nonce to the > response, and a signing certificate in order to sign the response. >
Yeah, I certainly didn't get far in developing that test server. Maybe it's easier for you to make something specific outside the test framework? Lieven -- Brane > >
