On Sat, Jan 14, 2017 at 5:39 PM, Branko Čibej <[email protected]> wrote:
>
> I think the ocsp-verification branch is ready to be merged to trunk.
> Here's the branch doc:
>
> https://svn.apache.org/repos/asf/serf/branches/ocsp-verification/BRANCH-README
>
>
> I've succesfully integrated the OCSP request creation and response
> verification into a fairly complex but, sadly, closed-source application
> and tested it against OpenSSL's OCSP responder implementation.
> Everything seems OK.
>
> Unfortunately, I'm not sure how to add unit tests for the actual request
> creation and response parsing; any suggestions towards that would be
> appreciated.
I've started working on integrating "OCSP Stapling" in the mock HTTPS
server in the test framework, but I didn't get very far yet.
You can check current status in the test:
test_ssl_ocsp_response_error_and_override :
Basically you enable OCSP stapling support on the server with:
ConfigServerWithID("server", WithOCSPEnabled)
That configures the ocspStatusCallback function to be used in the https server .
And then start the OCSP responder with:
SetupOCSPResponder(WithPort(12345))
You can then initiate the OCSP responder to respond in certain ways to
incoming requests:
OCSPRequest(MatchAny)
Respond(WithOCSPResponseStatus(mhOCSPRespnseStatusInternalError))
That's more or less where I got. To complete it, basically an OCSP
request/response server needs to be implemented. Relevant functions
are:
ocspStatusCallback
ocspCreateResponse
I seem to remember that I used the OpenSSL OCSP test responder as
example, but as you can see I didn't complete it.
>
> However, I don't think the lack of tests should block the
> merge to trunk; tests can always be written later, and in the meantime
> you can take my word for it that it works. :)
He, luckily we know you :) .
Lieven
> -- Brane
