You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jeff Trawick <tr...@gmail.com> on 2015/05/12 21:31:37 UTC
silly ab patch for SNI and OCSP stapling
... where "OCSP stapling" means "get the server to do the related work
but don't care what you get back".
Perhaps this doesn't save any time for anybody that would want to test
such a thing, but who knows?
Index: support/ab.c
===================================================================
--- support/ab.c (revision 1679028)
+++ support/ab.c (working copy)
@@ -1287,6 +1287,8 @@
bio = BIO_new_socket(fd, BIO_NOCLOSE);
SSL_set_bio(c->ssl, bio, bio);
SSL_set_connect_state(c->ssl);
+ SSL_set_tlsext_host_name(c->ssl, hostname);
+ SSL_set_tlsext_status_type(c->ssl, TLSEXT_STATUSTYPE_ocsp);
if (verbosity >= 4) {
BIO_set_callback(bio, ssl_print_cb);
BIO_set_callback_arg(bio, (void *)bio_err);
The lack of SNI is a pretty big hole now; it probably doesn't need much
extra in the way of #if/if to do the right thing.
Re: silly ab patch for SNI and OCSP stapling
Posted by Daniel Ruggeri <DR...@primary.net>.
Yep, my mistake. I thought there was a command line switch to change the
host header. You're correct - it wouldn't make much sense to override
one and not the other.
--
Daniel Ruggeri
On 5/16/2015 11:25 AM, Jeff Trawick wrote:
> in that case shouldn't you also be overriding Host:, so the SNI host
> name can use the same override? I think this may lead the user into a
> more helpful scenario, if indeed they don't already know when to
> override Host:, and I don't know how useful it is to have different
> values for Host: and SNI.
Re: silly ab patch for SNI and OCSP stapling
Posted by Jeff Trawick <tr...@gmail.com>.
On Sat, May 16, 2015 at 10:39 AM, Daniel Ruggeri <dr...@primary.net>
wrote:
> +1, but I would also propose a command line flag to override the SNI host
> name supplied in case one is testing directly by IP address.
>
in that case shouldn't you also be overriding Host:, so the SNI host name
can use the same override? I think this may lead the user into a more
helpful scenario, if indeed they don't already know when to override Host:,
and I don't know how useful it is to have different values for Host: and
SNI.
> --
> Daniel Ruggeri
>
> ------------------------------
> *From:* Jeff Trawick <tr...@gmail.com>
> *Sent:* May 12, 2015 2:31:37 PM CDT
> *To:* Apache HTTP Server Development List <de...@httpd.apache.org>
> *Subject:* silly ab patch for SNI and OCSP stapling
>
> ... where "OCSP stapling" means "get the server to do the related work
> but don't care what you get back".
>
> Perhaps this doesn't save any time for anybody that would want to test
> such a thing, but who knows?
>
> Index: support/ab.c
> ------------------------------
>
> --- support/ab.c (revision 1679028)
> +++ support/ab.c (working copy)
> @@ -1287,6 +1287,8 @@
> bio = BIO_new_socket(fd, BIO_NOCLOSE);
> SSL_set_bio(c->ssl, bio, bio);
> SSL_set_connect_state(c->ssl);
> + SSL_set_tlsext_host_name(c->ssl, hostname);
> + SSL_set_tlsext_status_type(c->ssl, TLSEXT_STATUSTYPE_ocsp);
> if (verbosity >= 4) {
> BIO_set_callback(bio, ssl_print_cb);
> BIO_set_callback_arg(bio, (void *)bio_err);
>
> The lack of SNI is a pretty big hole now; it probably doesn't need much
> extra in the way of #if/if to do the right thing.
>
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/
Re: silly ab patch for SNI and OCSP stapling
Posted by Daniel Ruggeri <dr...@primary.net>.
+1, but I would also propose a command line flag to override the SNI host name supplied in case one is testing directly by IP address.
--
Daniel Ruggeri
-------- Original Message --------
From: Jeff Trawick <tr...@gmail.com>
Sent: May 12, 2015 2:31:37 PM CDT
To: Apache HTTP Server Development List <de...@httpd.apache.org>
Subject: silly ab patch for SNI and OCSP stapling
... where "OCSP stapling" means "get the server to do the related work
but don't care what you get back".
Perhaps this doesn't save any time for anybody that would want to test
such a thing, but who knows?
Index: support/ab.c
===================================================================
--- support/ab.c (revision 1679028)
+++ support/ab.c (working copy)
@@ -1287,6 +1287,8 @@
bio = BIO_new_socket(fd, BIO_NOCLOSE);
SSL_set_bio(c->ssl, bio, bio);
SSL_set_connect_state(c->ssl);
+ SSL_set_tlsext_host_name(c->ssl, hostname);
+ SSL_set_tlsext_status_type(c->ssl, TLSEXT_STATUSTYPE_ocsp);
if (verbosity >= 4) {
BIO_set_callback(bio, ssl_print_cb);
BIO_set_callback_arg(bio, (void *)bio_err);
The lack of SNI is a pretty big hole now; it probably doesn't need much
extra in the way of #if/if to do the right thing.
Re: silly ab patch for SNI and OCSP stapling
Posted by Yann Ylavic <yl...@gmail.com>.
+1, to both! Thanks.
On Tue, May 12, 2015 at 9:31 PM, Jeff Trawick <tr...@gmail.com> wrote:
> ... where "OCSP stapling" means "get the server to do the related work but
> don't care what you get back".
>
> Perhaps this doesn't save any time for anybody that would want to test such
> a thing, but who knows?
>
> Index: support/ab.c
> ===================================================================
> --- support/ab.c (revision 1679028)
> +++ support/ab.c (working copy)
> @@ -1287,6 +1287,8 @@
> bio = BIO_new_socket(fd, BIO_NOCLOSE);
> SSL_set_bio(c->ssl, bio, bio);
> SSL_set_connect_state(c->ssl);
> + SSL_set_tlsext_host_name(c->ssl, hostname);
> + SSL_set_tlsext_status_type(c->ssl, TLSEXT_STATUSTYPE_ocsp);
> if (verbosity >= 4) {
> BIO_set_callback(bio, ssl_print_cb);
> BIO_set_callback_arg(bio, (void *)bio_err);
>
> The lack of SNI is a pretty big hole now; it probably doesn't need much
> extra in the way of #if/if to do the right thing.
>