diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2013-03-24 21:49:12 +0000 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2013-03-25 22:42:48 +0000 |
| commit | f5d786885721c374cc22a1f1311ca01408a496fd (patch) | |
| tree | 528ec5ecb56fc077445855d16014bc9a9c86d967 /test/README | |
| parent | 26e72755c101f59e24735e9ca9a320d5f1ebc2b7 (diff) | |
OCSP-stapling enhancement and testing.
Server:
Honor environment variable as well as running_in_test_harness in permitting bogus staplings
Update server tests
Add "-ocsp" option to client-ssl.
Server side: add verification of stapled status.
First cut server-mode ocsp testing.
Fix some uninitialized ocsp-related data.
Client (new):
Verify stapling using only the chain that verified the server cert, not any acceptable chain.
Add check for multiple responses in a stapling, which is not handled
Refuse verification on expired and revoking staplings.
Handle OCSP client refusal on lack of stapling from server.
More fixing in client OCSP: use the server cert signing chain to verify the OCSP info.
Add transport hosts_require_ocsp option.
Log stapling responses.
Start on tests for client-side.
Testing support:
Add CRL generation code and documentation update
Initial CA & certificate set for testing.
BUGFIX:
Once a single OCSP response has been extracted the validation
routine return code is no longer about the structure, but the actual
returned OCSP status.
Diffstat (limited to 'test/README')
| -rw-r--r-- | test/README | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/test/README b/test/README index 7e778eee7..c64b02206 100644 --- a/test/README +++ b/test/README @@ -843,9 +843,11 @@ and port, using the specified interface, if one is given. When OpenSSL is available on the host, an alternative version of the client program is compiled, one that supports TLS using OpenSSL. The additional -arguments specify a certificate and key file when required. There is one -additional option, -tls-on-connect, that causes the client to initiate TLS -negotiation immediately on connection. +arguments specify a certificate and key file when required for the connection. +There are two additional options: -tls-on-connect, that causes the client to +initiate TLS negociation immediately on connection; -ocsp that causes the TLS +negotiation to include a certificate-status request. The latter takes a +filename argument, the CA info for verifying the stapled response. client-gnutls [<options>] <ip address> <port> [<outgoing interface>] \ |