On Thu, Jan 15, 2026 at 7:38 PM Mark Thomas <[email protected]> wrote:
> On 15/01/2026 16:53, Dimitris Soumis wrote: > > On Thu, Jan 15, 2026 at 6:35 PM Mark Thomas <[email protected]> wrote: > > > >> On 15/01/2026 14:01, Mark Thomas wrote: > >>> On 15/01/2026 13:30, Mark Thomas wrote: > >>>> On 15/01/2026 13:11, Dimitris Soumis wrote: > >> > >> <snip/> > >> > >>>>> I am attaching a draft patch, fixing those issues and resulting in > >>>>> all tests passing. > >>>>> The patch breaks something, as I > >>>>> see TestOcspTimeout.testTimeoutWithoutSoftFail fails. I will look > >>>>> into it later. > >>>> > >>>> Thanks. That is really helpful. > >>>> > >>>> I've spent the morning looking at the native crashes and have made > >>>> some progress but I could do with a break from that so I'll look at > >>>> the draft patch. > >>> > >>> Yes. That all makes sense. I've re-worked TesterSupport.initSsl because > >>> the various overloaded methods let you change the server cert for JSSE > >>> configuration style but not OPENSSL. My local change allows the default > >>> certificate file and certificate key file to be overridden as well > >>> (which is what the OCSP tests needs to do). > >>> > >>> I also spotted an issue with JSSE vs OpenSSL trust configuration that > >>> I've fixed. > >>> > >>> The OCSP tests are passing now with APR. I just need to check I haven't > >>> broken anything else. > >> > >> The OCSP soft fail tests are, somewhat ironically, failing. But only > >> with APR. I think I have tracked down the error but it is in native > >> code. If I am right, it is only 1.3.x that is affected. > >> > >> There is a strong possibility that we are going to need another Native > >> 1.3.x release. I'm thinking: > >> - Try and get that out today > >> - Get most votes tomorrow > >> - Call the result Monday and then tag. > >> > >> Thoughts? > >> > > +1 > > I think ocsp_soft_fail needs to be taken into consideration in > sslcontext.c > > as is being done for the other attributes. > > I've just committed a different fix but I could well have missed > something. What did you have in mind? > My bad, your fix works great. > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
