From 442c78dc326d68af3e0b7453a2ec629d70196531 Mon Sep 17 00:00:00 2001 From: David Zhang Date: Tue, 5 Mar 2024 15:38:35 -0800 Subject: [PATCH 3/3] test - support certificate status check using OCSP staplin --- src/test/ssl/conf/ocsp_ca.config | 18 +++ src/test/ssl/sslfiles.mk | 124 +++++++++++++++- src/test/ssl/t/001_ssltests.pl | 198 ++++++++++++++++++++++++++ src/test/ssl/t/SSL/Backend/OpenSSL.pm | 3 + src/test/ssl/t/SSL/Server.pm | 4 + 5 files changed, 342 insertions(+), 5 deletions(-) create mode 100644 src/test/ssl/conf/ocsp_ca.config diff --git a/src/test/ssl/conf/ocsp_ca.config b/src/test/ssl/conf/ocsp_ca.config new file mode 100644 index 0000000000..b866085911 --- /dev/null +++ b/src/test/ssl/conf/ocsp_ca.config @@ -0,0 +1,18 @@ +# An OpenSSL format CSR config file for creating the ocsp responder certificate. +# This configuration file is also used when operating the CA. +# +# This certificate is used to sign OCSP resonpose. + +[ req ] +distinguished_name = req_distinguished_name +prompt = no +req_extensions = v3_ocsp + +[ req_distinguished_name ] +CN = Test CA for PostgreSQL SSL regression test ocsp response + +# Extensions for OCSP responder certs +[ v3_ocsp ] +basicConstraints = CA:false +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = OCSPSigning diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk index 88c93ec18d..fd92970698 100644 --- a/src/test/ssl/sslfiles.mk +++ b/src/test/ssl/sslfiles.mk @@ -35,6 +35,14 @@ SERVERS := server-cn-and-alt-names \ server-revoked CLIENTS := client client-dn client-revoked client_ext client-long \ client-revoked-utf8 +OCSPS := server-ocsp-good \ + server-ocsp-revoked \ + server-ocsp-expired \ + server-ocsp-unknown \ + server-ca-ocsp-good \ + server-ca-ocsp-revoked \ + server-ca-ocsp-expired \ + server-ca-ocsp-unknown # # To add a new non-standard certificate, add it to SPECIAL_CERTS and then add @@ -62,14 +70,16 @@ COMBINATIONS := \ ssl/root+client_ca.crt \ ssl/root+client.crl \ ssl/client+client_ca.crt \ - ssl/server-cn-only+server_ca.crt + ssl/server-cn-only+server_ca.crt \ + ssl/server-ip-cn-only+server_ca.crt -CERTIFICATES := root_ca server_ca client_ca $(SERVERS) $(CLIENTS) +CERTIFICATES := root_ca server_ca client_ca ocsp_ca $(SERVERS) $(CLIENTS) STANDARD_CERTS := $(CERTIFICATES:%=ssl/%.crt) STANDARD_KEYS := $(CERTIFICATES:%=ssl/%.key) CRLS := ssl/root.crl \ ssl/client.crl \ ssl/server.crl +OCSPRES := $(OCSPS:%=ssl/%.res) SSLFILES := \ $(STANDARD_CERTS) \ @@ -77,7 +87,8 @@ SSLFILES := \ $(SPECIAL_CERTS) \ $(SPECIAL_KEYS) \ $(COMBINATIONS) \ - $(CRLS) + $(CRLS) \ + $(OCSPRES) SSLDIRS := ssl/client-crldir \ ssl/server-crldir \ ssl/root+client-crldir \ @@ -154,6 +165,9 @@ ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt # for the server, to present to a client that only knows the root ssl/server-cn-only+server_ca.crt: ssl/server-cn-only.crt ssl/server_ca.crt +# for the server, to check when stapled ocsp response doesn't match server certificate +ssl/server-ip-cn-only+server_ca.crt: ssl/server-ip-cn-only.crt ssl/server_ca.crt + # If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the # chain, even if some of them are empty. ssl/root+server.crl: ssl/root.crl ssl/server.crl @@ -174,7 +188,7 @@ $(STANDARD_KEYS): # Standard certificates # -CA_CERTS := ssl/server_ca.crt ssl/client_ca.crt +CA_CERTS := ssl/server_ca.crt ssl/client_ca.crt ssl/ocsp_ca.crt SERVER_CERTS := $(SERVERS:%=ssl/%.crt) CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt) @@ -227,6 +241,106 @@ ssl/%-certindex.attr: ssl/%.srl: date +%Y%m%d%H%M%S00 > $@ +# +# OCSP +# +.INTERMEDIATE: $(OCSPS:%=ssl/%.idx) +# given status 'V' without 'revocation date' to generate an ocsp response with status 'good' for 10000 days +ssl/server-ocsp-good.idx: ssl/server-cn-only.crt + expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \ + serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \ + cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \ + echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" > $@ + +# given status 'R' and 'revocation date' to generate an ocsp response with status 'revoked' for 10000 days +ssl/server-ocsp-revoked.idx: ssl/server-cn-only.crt + expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \ + serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \ + revocation_date=$$(date --utc +'%y%m%d%H%M%SZ'); \ + cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \ + echo "R\t$$expiration_date\t$$revocation_date\t$$serial_number\tunknown\t$$cert_subject" > $@ + +# generate an ocsp response with status 'unknown' using a none-existing certificate serial number 1970010100000000 +ssl/server-ocsp-unknown.idx: ssl/server-cn-only.crt + expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \ + serial_number="1970010100000000"; \ + cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \ + echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" > $@ + +# generate an ocsp response with status 'good' but nextUpdate 'expired' in only 1 minute +ssl/server-ocsp-expired.idx: ssl/server-cn-only.crt + expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \ + serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \ + cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \ + echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" > $@ + +# server-cn-only.crt (good), ocsp response for server_ca.crt in (good|revoked|unknown|expired) +# good, good +ssl/server-ca-ocsp-good.idx: ssl/server_ca.crt ssl/server-ocsp-good.idx + expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \ + serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \ + cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \ + cat ssl/server-ocsp-good.idx > $@; \ + echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" >> $@ + +# good, revoked +ssl/server-ca-ocsp-revoked.idx: ssl/server_ca.crt ssl/server-ocsp-good.idx + expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \ + serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \ + revocation_date=$$(date --utc +'%y%m%d%H%M%SZ'); \ + cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \ + cat ssl/server-ocsp-good.idx > $@; \ + echo "R\t$$expiration_date\t$$revocation_date\t$$serial_number\tunknown\t$$cert_subject" >> $@ + +# good, unknown +ssl/server-ca-ocsp-unknown.idx: ssl/server_ca.crt ssl/server-ocsp-good.idx + expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \ + serial_number="1970010100000001"; \ + cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \ + cat ssl/server-ocsp-good.idx > $@; \ + echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" >> $@ + +# good, expired +ssl/server-ca-ocsp-expired.idx: ssl/server_ca.crt ssl/server-ocsp-good.idx + expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \ + serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \ + cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \ + cat ssl/server-ocsp-good.idx > $@; \ + echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" >> $@ + +$(OCSPRES): +# server-cn-only: 'good' +ssl/server-ocsp-good.res: ssl/server-ocsp-good.idx ssl/server-cn-only.crt ssl/ocsp_ca.crt ssl/root+server_ca.crt + $(OPENSSL) ocsp -index $< -rsigner ssl/ocsp_ca.crt -rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt -issuer ssl/server_ca.crt -ndays 10000 -cert ssl/server-cn-only.crt -respout $@ + +# server-cn-only: 'revoked' +ssl/server-ocsp-revoked.res: ssl/server-ocsp-revoked.idx ssl/server-cn-only.crt ssl/ocsp_ca.crt ssl/root+server_ca.crt + $(OPENSSL) ocsp -index $< -rsigner ssl/ocsp_ca.crt -rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt -issuer ssl/server_ca.crt -ndays 10000 -cert ssl/server-cn-only.crt -respout $@ + +# server-cn-only: 'unknown' +ssl/server-ocsp-unknown.res: ssl/server-ocsp-unknown.idx ssl/server-cn-only.crt ssl/ocsp_ca.crt ssl/root+server_ca.crt + $(OPENSSL) ocsp -index $< -rsigner ssl/ocsp_ca.crt -rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt -issuer ssl/server_ca.crt -ndays 10000 -cert ssl/server-cn-only.crt -respout $@ + +# server-cn-only: 'expired' +ssl/server-ocsp-expired.res: ssl/server-ocsp-expired.idx ssl/server-cn-only.crt ssl/ocsp_ca.crt ssl/root+server_ca.crt + $(OPENSSL) ocsp -index $< -rsigner ssl/ocsp_ca.crt -rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt -issuer ssl/server_ca.crt -nmin 1 -cert ssl/server-cn-only.crt -respout $@ + +# server-cn-only, server_ca: 'good, good' +ssl/server-ca-ocsp-good.res: ssl/server-ca-ocsp-good.idx ssl/server-cn-only.crt ssl/ocsp_ca.crt ssl/root+server_ca.crt ssl/server_ca.crt + $(OPENSSL) ocsp -index $< -rsigner ssl/ocsp_ca.crt -rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt -ndays 10000 -issuer ssl/server_ca.crt -cert ssl/server-cn-only.crt -issuer ssl/root_ca.crt -cert ssl/server_ca.crt -respout $@ + +# server-cn-only, server_ca: 'good, revoked' +ssl/server-ca-ocsp-revoked.res: ssl/server-ca-ocsp-revoked.idx ssl/server-cn-only.crt ssl/ocsp_ca.crt ssl/root+server_ca.crt ssl/server_ca.crt + $(OPENSSL) ocsp -index $< -rsigner ssl/ocsp_ca.crt -rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt -ndays 10000 -issuer ssl/server_ca.crt -cert ssl/server-cn-only.crt -issuer ssl/root_ca.crt -cert ssl/server_ca.crt -respout $@ + +# server-cn-only, server_ca: 'good, unknown' +ssl/server-ca-ocsp-unknown.res: ssl/server-ca-ocsp-unknown.idx ssl/server-cn-only.crt ssl/ocsp_ca.crt ssl/root+server_ca.crt ssl/server_ca.crt + $(OPENSSL) ocsp -index $< -rsigner ssl/ocsp_ca.crt -rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt -ndays 10000 -issuer ssl/server_ca.crt -cert ssl/server-cn-only.crt -issuer ssl/root_ca.crt -cert ssl/server_ca.crt -respout $@ + +# server-cn-only, server_ca: 'good, expired' +ssl/server-ca-ocsp-expired.res: ssl/server-ca-ocsp-expired.idx ssl/server-cn-only.crt ssl/ocsp_ca.crt ssl/root+server_ca.crt ssl/server_ca.crt + $(OPENSSL) ocsp -index $< -rsigner ssl/ocsp_ca.crt -rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt -nmin 1 -issuer ssl/server_ca.crt -cert ssl/server-cn-only.crt -issuer ssl/root_ca.crt -cert ssl/server_ca.crt -respout $@ + # # CRLs # @@ -262,7 +376,7 @@ ssl/%-crldir: .PHONY: sslfiles-clean sslfiles-clean: - rm -f $(SSLFILES) ssl/*.old ssl/*.csr ssl/*.srl ssl/*-certindex* + rm -f $(SSLFILES) ssl/*.old ssl/*.csr ssl/*.srl ssl/*-certindex* ssl/*.idx ssl/*.res rm -rf $(SSLDIRS) ssl/new_certs_dir # The difference between the below clean targets and sslfiles-clean is that the diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 94ff043c8e..92656542ae 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -904,4 +904,202 @@ $node->connect_fails( # ] ); +# Test ocsp stapling. +# Use a stapled ocsp response with different status for certificate server-cn-only +# so that the client can verify the ocsp response when sslocspstapling is set. +# server-cn-only certificates status is 'good' +switch_server_cert( + $node, + certfile => 'server-cn-only', + keyfile => 'server-cn-only', + cafile => 'root_ca', + ocspfile => 'server-ocsp-good'); + +# Reset the common_connstr +$common_connstr = + "$default_ssl_connstr user=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=ocsp-good.pg-ssltest.test"; + +# Continue the TLS connection when certificate status is 'good' in stapled ocsp response. +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslocspstapling=1", + "connect with valid stapled ocsp response when sslocspstapling=1"); + +# Continue the TLS connection when no ocsp response is required. +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslocspstapling=0", + "connect without requesting ocsp response when sslocspstapling=0"); + +# server-cn-only certificates status is 'revoked' +switch_server_cert( + $node, + certfile => 'server-cn-only', + keyfile => 'server-cn-only', + cafile => 'root_ca', + ocspfile => 'server-ocsp-revoked'); + +# Fail the TLS connection when certificate status is 'revoked' in stapled ocsp response. +$node->connect_fails( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslocspstapling=1", + "failed with a revoked ocsp response when sslocspstapling=1"); + +# Continue the TLS connection when no ocsp response is required. +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslocspstapling=0", + "connect without requesting ocsp response when sslocspstapling=0"); + +# server-cn-only certificates status is 'unknown' +switch_server_cert( + $node, + certfile => 'server-cn-only', + keyfile => 'server-cn-only', + cafile => 'root_ca', + ocspfile => 'server-ocsp-unknown'); + +# Fail the TLS connection when certificate status is 'unknown' in stapled ocsp response. +$node->connect_fails( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslocspstapling=1", + "failed with a revoked ocsp response when sslocspstapling=1"); + +# Continue the TLS connection when no ocsp response is required. +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslocspstapling=0", + "connect without requesting ocsp response when sslocspstapling=0"); + +# server-cn-only certificates status is 'expired' +switch_server_cert( + $node, + certfile => 'server-cn-only', + keyfile => 'server-cn-only', + cafile => 'root_ca', + ocspfile => 'server-ocsp-expired'); + +# Fail the TLS connection when stapled ocsp response is 'expired'. +$node->connect_fails( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslocspstapling=1", + "failed with an expired ocsp response when sslocspstapling=1"); + +# Continue the TLS connection when no ocsp response is required. +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslocspstapling=0", + "connect without requesting ocsp response when sslocspstapling=0"); + +# Use a stapled ocsp response with different status for certificate server-cn-only and server_ca +# so that the client can verify the ocsp response when sslocspstapling is set. +# server-cn-only, server_ca: 'good, good' +switch_server_cert( + $node, + certfile => 'server-cn-only+server_ca', + keyfile => 'server-cn-only', + cafile => 'root_ca', + ocspfile => 'server-ca-ocsp-good'); + +# Reset the common_connstr +$common_connstr = + "$default_ssl_connstr user=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=ocsp-good.pg-ssltest.test"; + +# Continue the TLS connection when certificate status is 'good' in stapled ocsp response. +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root_ca.crt sslmode=verify-ca sslocspstapling=1", + "connect with valid stapled ocsp response when sslocspstapling=1"); + +# Continue the TLS connection when no ocsp response is required. +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root_ca.crt sslmode=verify-ca sslocspstapling=0", + "connect without requesting ocsp response when sslocspstapling=0"); + +# server-cn-only, server_ca: 'good, revoked' +switch_server_cert( + $node, + certfile => 'server-cn-only+server_ca', + keyfile => 'server-cn-only', + cafile => 'root_ca', + ocspfile => 'server-ca-ocsp-revoked'); + +# Fail the TLS connection when certificate status is 'revoked' in stapled ocsp response. +$node->connect_fails( + "$common_connstr sslrootcert=ssl/root_ca.crt sslmode=verify-ca sslocspstapling=1", + "failed with a revoked ocsp response when sslocspstapling=1"); + +# Continue the TLS connection when no ocsp response is required. +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root_ca.crt sslmode=verify-ca sslocspstapling=0", + "connect without requesting ocsp response when sslocspstapling=0"); + +# server-cn-only, server_ca: 'good, unknown' +switch_server_cert( + $node, + certfile => 'server-cn-only+server_ca', + keyfile => 'server-cn-only', + cafile => 'root_ca', + ocspfile => 'server-ca-ocsp-unknown'); + +# Fail the TLS connection when certificate status is 'unknown' in stapled ocsp response. +$node->connect_fails( + "$common_connstr sslrootcert=ssl/root_ca.crt sslmode=verify-ca sslocspstapling=1", + "failed with a revoked ocsp response when sslocspstapling=1"); + +# Continue the TLS connection when no ocsp response is required. +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root_ca.crt sslmode=verify-ca sslocspstapling=0", + "connect without requesting ocsp response when sslocspstapling=0"); + +# server-cn-only, server_ca: 'good, expired' +switch_server_cert( + $node, + certfile => 'server-cn-only+server_ca', + keyfile => 'server-cn-only', + cafile => 'root_ca', + ocspfile => 'server-ca-ocsp-expired'); + +# Fail the TLS connection when stapled ocsp response is 'expired'. +$node->connect_fails( + "$common_connstr sslrootcert=ssl/root_ca.crt sslmode=verify-ca sslocspstapling=1", + "failed with an expired ocsp response when sslocspstapling=1"); + +# Continue the TLS connection when no ocsp response is required. +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root_ca.crt sslmode=verify-ca sslocspstapling=0", + "connect without requesting ocsp response when sslocspstapling=0"); + + +# Use a stapled ocsp response which doesn't match the certificate server-ip-cn-only +# so that the client will fail the TLS connection when sslocspstapling is set. +switch_server_cert( + $node, + certfile => 'server-ip-cn-only', + keyfile => 'server-ip-cn-only', + cafile => 'root_ca', + ocspfile => 'server-ocsp-good'); + +# Fail the TLS connection when stapled ocsp response doesn't match certificate. +$node->connect_fails( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslocspstapling=1", + "failed with an expired ocsp response when sslocspstapling=1"); + +# Continue the TLS connection when no ocsp response is required. +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslocspstapling=0", + "connect without requesting ocsp response when sslocspstapling=0"); + + +# Use a stapled ocsp response which doesn't match the certificate server-ip-cn-only +# so that the client will fail the TLS connection when sslocspstapling is set. +switch_server_cert( + $node, + certfile => 'server-ip-cn-only+server_ca', + keyfile => 'server-ip-cn-only', + cafile => 'root_ca', + ocspfile => 'server-ca-ocsp-good'); + +# Fail the TLS connection when stapled ocsp response doesn't match certificate. +$node->connect_fails( + "$common_connstr sslrootcert=ssl/root_ca.crt sslmode=verify-ca sslocspstapling=1", + "failed with an expired ocsp response when sslocspstapling=1"); + +# Continue the TLS connection when no ocsp response is required. +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root_ca.crt sslmode=verify-ca sslocspstapling=0", + "connect without requesting ocsp response when sslocspstapling=0"); + + done_testing(); diff --git a/src/test/ssl/t/SSL/Backend/OpenSSL.pm b/src/test/ssl/t/SSL/Backend/OpenSSL.pm index 410b4b1a3f..3f4c1a0fe4 100644 --- a/src/test/ssl/t/SSL/Backend/OpenSSL.pm +++ b/src/test/ssl/t/SSL/Backend/OpenSSL.pm @@ -73,6 +73,7 @@ sub init _copy_files("ssl/root+client_ca.crt", $pgdata); _copy_files("ssl/root_ca.crt", $pgdata); _copy_files("ssl/root+client.crl", $pgdata); + _copy_files("ssl/server-*.res", $pgdata); mkdir("$pgdata/root+client-crldir") or die "unable to create server CRL dir $pgdata/root+client-crldir: $!"; _copy_files("ssl/root+client-crldir/*", "$pgdata/root+client-crldir/"); @@ -186,6 +187,8 @@ sub set_server_cert . "ssl_crl_file='$params->{crlfile}'\n"; $sslconf .= "ssl_crl_dir='$params->{crldir}'\n" if defined $params->{crldir}; + $sslconf .= "ssl_ocsp_file='$params->{ocspfile}.res'\n" + if defined $params->{ocspfile}; return $sslconf; } diff --git a/src/test/ssl/t/SSL/Server.pm b/src/test/ssl/t/SSL/Server.pm index 149a938511..f806b433da 100644 --- a/src/test/ssl/t/SSL/Server.pm +++ b/src/test/ssl/t/SSL/Server.pm @@ -255,6 +255,10 @@ The CA certificate to use. Implementation is SSL backend specific. The certificate file to use. Implementation is SSL backend specific. +=item ocspfile => B + +The ocsp stapling file to use. Implementation is SSL backend specific. + =item keyfile => B The private key file to use. Implementation is SSL backend specific. -- 2.34.1