From f5d786885721c374cc22a1f1311ca01408a496fd Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 24 Mar 2013 21:49:12 +0000 Subject: OCSP-stapling enhancement and testing. Server: Honor environment variable as well as running_in_test_harness in permitting bogus staplings Update server tests Add "-ocsp" option to client-ssl. Server side: add verification of stapled status. First cut server-mode ocsp testing. Fix some uninitialized ocsp-related data. Client (new): Verify stapling using only the chain that verified the server cert, not any acceptable chain. Add check for multiple responses in a stapling, which is not handled Refuse verification on expired and revoking staplings. Handle OCSP client refusal on lack of stapling from server. More fixing in client OCSP: use the server cert signing chain to verify the OCSP info. Add transport hosts_require_ocsp option. Log stapling responses. Start on tests for client-side. Testing support: Add CRL generation code and documentation update Initial CA & certificate set for testing. BUGFIX: Once a single OCSP response has been extracted the validation routine return code is no longer about the structure, but the actual returned OCSP status. --- test/README | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'test/README') diff --git a/test/README b/test/README index 7e778eee7..c64b02206 100644 --- a/test/README +++ b/test/README @@ -843,9 +843,11 @@ and port, using the specified interface, if one is given. When OpenSSL is available on the host, an alternative version of the client program is compiled, one that supports TLS using OpenSSL. The additional -arguments specify a certificate and key file when required. There is one -additional option, -tls-on-connect, that causes the client to initiate TLS -negotiation immediately on connection. +arguments specify a certificate and key file when required for the connection. +There are two additional options: -tls-on-connect, that causes the client to +initiate TLS negociation immediately on connection; -ocsp that causes the TLS +negotiation to include a certificate-status request. The latter takes a +filename argument, the CA info for verifying the stapled response. client-gnutls [] [] \ -- cgit v1.2.3