Re: [exim-dev] Exim OCSP stapling

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Phil Pennock
Dátum:  
Címzett: Jeremy Harris
CC: exim-dev
Tárgy: Re: [exim-dev] Exim OCSP stapling
On 2013-02-09 at 12:27 +0000, Jeremy Harris wrote:
> But I also want to verify that, client-side, exim properly rejects
> a connection where the server staples outdated (or revoked)
> info. I can do that by making the server-side check depend
> on running_in_test_harness - but that means I can't do the
> server-side testing with the same build of exim.


If running_in_test_harness, honour an environment variable
$EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK ?

*Only* honour that if already running in test harness, to avoid any risk
of a security hole.

Would that work?

> I'm not aware of a convenient utility that talks all of
> ESMTP, STARTTLS and OCSP, server side. Any runtime
> ways anyone can think of to defeat the "don't staple bogus info"
> test? Any way of pointing the testsuite to a "normal" binary
> (vs. the running_in_test_harness one)?


Not aware of any; it's part of why I put OCSP stapling into
experimental, even in the very limited state I had it: providing a basis
for testing against. Also, seeing if there's any feedback from anyone,
ever, that it's a desired feature. I suspect that with automatic
stapling, as you're doing, a lot more people will desire it. :)

-Phil