On 2013-02-09 at 12:27 +0000, Jeremy Harris wrote: > But I also want to verify that, client-side, exim properly rejects > a connection where the server staples outdated (or revoked) > info. I can do that by making the server-side check depend > on running_in_test_harness - but that means I can't do the > server-side testing with the same build of exim.
If running_in_test_harness, honour an environment variable $EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK ? *Only* honour that if already running in test harness, to avoid any risk of a security hole. Would that work? > I'm not aware of a convenient utility that talks all of > ESMTP, STARTTLS and OCSP, server side. Any runtime > ways anyone can think of to defeat the "don't staple bogus info" > test? Any way of pointing the testsuite to a "normal" binary > (vs. the running_in_test_harness one)? Not aware of any; it's part of why I put OCSP stapling into experimental, even in the very limited state I had it: providing a basis for testing against. Also, seeing if there's any feedback from anyone, ever, that it's a desired feature. I suspect that with automatic stapling, as you're doing, a lot more people will desire it. :) -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
