+1, but I would also propose a command line flag to override the SNI host name supplied in case one is testing directly by IP address. -- Daniel Ruggeri
-------- Original Message -------- From: Jeff Trawick <traw...@gmail.com> Sent: May 12, 2015 2:31:37 PM CDT To: Apache HTTP Server Development List <dev@httpd.apache.org> Subject: silly ab patch for SNI and OCSP stapling ... where "OCSP stapling" means "get the server to do the related work but don't care what you get back". Perhaps this doesn't save any time for anybody that would want to test such a thing, but who knows? Index: support/ab.c =================================================================== --- support/ab.c (revision 1679028) +++ support/ab.c (working copy) @@ -1287,6 +1287,8 @@ bio = BIO_new_socket(fd, BIO_NOCLOSE); SSL_set_bio(c->ssl, bio, bio); SSL_set_connect_state(c->ssl); + SSL_set_tlsext_host_name(c->ssl, hostname); + SSL_set_tlsext_status_type(c->ssl, TLSEXT_STATUSTYPE_ocsp); if (verbosity >= 4) { BIO_set_callback(bio, ssl_print_cb); BIO_set_callback_arg(bio, (void *)bio_err); The lack of SNI is a pretty big hole now; it probably doesn't need much extra in the way of #if/if to do the right thing.