On Sat, May 16, 2015 at 10:39 AM, Daniel Ruggeri <drugg...@primary.net>
wrote:
> +1, but I would also propose a command line flag to override the SNI host
> name supplied in case one is testing directly by IP address.
>
in that case shouldn't you also be overriding Host:, so the SNI host name
can use the same override? I think this may lead the user into a more
helpful scenario, if indeed they don't already know when to override Host:,
and I don't know how useful it is to have different values for Host: and
SNI.
> --
> Daniel Ruggeri
>
> ------------------------------
> *From:* Jeff Trawick <traw...@gmail.com>
> *Sent:* May 12, 2015 2:31:37 PM CDT
> *To:* Apache HTTP Server Development List <dev@httpd.apache.org>
> *Subject:* silly ab patch for SNI and OCSP stapling
>
> ... where "OCSP stapling" means "get the server to do the related work
> but don't care what you get back".
>
> Perhaps this doesn't save any time for anybody that would want to test
> such a thing, but who knows?
>
> Index: support/ab.c
> ------------------------------
>
> --- support/ab.c (revision 1679028)
> +++ support/ab.c (working copy)
> @@ -1287,6 +1287,8 @@
> bio = BIO_new_socket(fd, BIO_NOCLOSE);
> SSL_set_bio(c->ssl, bio, bio);
> SSL_set_connect_state(c->ssl);
> + SSL_set_tlsext_host_name(c->ssl, hostname);
> + SSL_set_tlsext_status_type(c->ssl, TLSEXT_STATUSTYPE_ocsp);
> if (verbosity >= 4) {
> BIO_set_callback(bio, ssl_print_cb);
> BIO_set_callback_arg(bio, (void *)bio_err);
>
> The lack of SNI is a pretty big hole now; it probably doesn't need much
> extra in the way of #if/if to do the right thing.
>
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/
