+1, but I would also propose a command line flag to override the SNI host name
supplied in case one is testing directly by IP address.
--
Daniel Ruggeri
-------- Original Message --------
From: Jeff Trawick <traw...@gmail.com>
Sent: May 12, 2015 2:31:37 PM CDT
To: Apache HTTP Server Development List <dev@httpd.apache.org>
Subject: silly ab patch for SNI and OCSP stapling
... where "OCSP stapling" means "get the server to do the related work
but don't care what you get back".
Perhaps this doesn't save any time for anybody that would want to test
such a thing, but who knows?
Index: support/ab.c
===================================================================
--- support/ab.c (revision 1679028)
+++ support/ab.c (working copy)
@@ -1287,6 +1287,8 @@
bio = BIO_new_socket(fd, BIO_NOCLOSE);
SSL_set_bio(c->ssl, bio, bio);
SSL_set_connect_state(c->ssl);
+ SSL_set_tlsext_host_name(c->ssl, hostname);
+ SSL_set_tlsext_status_type(c->ssl, TLSEXT_STATUSTYPE_ocsp);
if (verbosity >= 4) {
BIO_set_callback(bio, ssl_print_cb);
BIO_set_callback_arg(bio, (void *)bio_err);
The lack of SNI is a pretty big hole now; it probably doesn't need much
extra in the way of #if/if to do the right thing.
