+1, to both! Thanks.
On Tue, May 12, 2015 at 9:31 PM, Jeff Trawick <traw...@gmail.com> wrote:
> ... where "OCSP stapling" means "get the server to do the related work but
> don't care what you get back".
>
> Perhaps this doesn't save any time for anybody that would want to test such
> a thing, but who knows?
>
> Index: support/ab.c
> ===================================================================
> --- support/ab.c (revision 1679028)
> +++ support/ab.c (working copy)
> @@ -1287,6 +1287,8 @@
> bio = BIO_new_socket(fd, BIO_NOCLOSE);
> SSL_set_bio(c->ssl, bio, bio);
> SSL_set_connect_state(c->ssl);
> + SSL_set_tlsext_host_name(c->ssl, hostname);
> + SSL_set_tlsext_status_type(c->ssl, TLSEXT_STATUSTYPE_ocsp);
> if (verbosity >= 4) {
> BIO_set_callback(bio, ssl_print_cb);
> BIO_set_callback_arg(bio, (void *)bio_err);
>
> The lack of SNI is a pretty big hole now; it probably doesn't need much
> extra in the way of #if/if to do the right thing.
>
