From f5d786885721c374cc22a1f1311ca01408a496fd Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 24 Mar 2013 21:49:12 +0000 Subject: OCSP-stapling enhancement and testing. Server: Honor environment variable as well as running_in_test_harness in permitting bogus staplings Update server tests Add "-ocsp" option to client-ssl. Server side: add verification of stapled status. First cut server-mode ocsp testing. Fix some uninitialized ocsp-related data. Client (new): Verify stapling using only the chain that verified the server cert, not any acceptable chain. Add check for multiple responses in a stapling, which is not handled Refuse verification on expired and revoking staplings. Handle OCSP client refusal on lack of stapling from server. More fixing in client OCSP: use the server cert signing chain to verify the OCSP info. Add transport hosts_require_ocsp option. Log stapling responses. Start on tests for client-side. Testing support: Add CRL generation code and documentation update Initial CA & certificate set for testing. BUGFIX: Once a single OCSP response has been extracted the validation routine return code is no longer about the structure, but the actual returned OCSP status. --- .../server1.example.net.ocsp.good.resp | Bin 0 -> 706 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp (limited to 'test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp') diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp new file mode 100644 index 000000000..b2cb446e7 Binary files /dev/null and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp differ -- cgit v1.2.3