You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@serf.apache.org by br...@apache.org on 2016/12/05 10:30:12 UTC

svn commit: r1772627 - /serf/branches/ocsp-verification/BRANCH-README

Author: brane
Date: Mon Dec  5 10:30:12 2016
New Revision: 1772627

URL: http://svn.apache.org/viewvc?rev=1772627&view=rev
Log:
On the ocsp-verification branch: Add branch docs.

* BRANCH-README: New file.

Added:
    serf/branches/ocsp-verification/BRANCH-README   (with props)

Added: serf/branches/ocsp-verification/BRANCH-README
URL: http://svn.apache.org/viewvc/serf/branches/ocsp-verification/BRANCH-README?rev=1772627&view=auto
==============================================================================
--- serf/branches/ocsp-verification/BRANCH-README (added)
+++ serf/branches/ocsp-verification/BRANCH-README Mon Dec  5 10:30:12 2016
@@ -0,0 +1,52 @@
+Support for OCSP Verification in Serf
+=====================================
+
+Serf trunk currently supports OCSP stapling for verifying server
+certificates. The purpose of this branch is to add minimal support
+for issuing OCSP requests to responders from the client application.
+
+The idea is that the application decides when and where to send OCSP
+requests and how to verify responses, and Serf provides some basic
+utility functions for constructing the requests and parsing the
+responses.
+
+These are the proposed changes:
+
+1. serf_ssl_cert_certificate()
+
+   Extract the OCSP responder URL from the certificate's x509v3
+   extension field authorityInfoAccess:OCSP;URI and, if it is
+   present, insert it into the returned hash table with key
+   "ocsp.uri".
+
+2. serf_ssl_cert_import()
+
+   Add new function that is the inverse of serf_ssl_cert_export():
+
+       serf_ssl_certificate_t *serf_ssl_cert_import(
+           const char *encoded_cert,
+           apr_pool_t *pool);
+
+   Imports certificate from a base64-encoded, zero-terminated
+   string. The returned certificate is allocated in @a pool.
+   Returns NULL on failure.
+
+3. serf_ocsp_request_setup()
+
+   Add a new function that can be used from within a request setup
+   handler to create an OCSP request bucket:
+
+       apr_status_t serf_ocsp_request_setup(
+           serf_request_t *request,
+           const serf_ssl_certificate_t *server_cert,
+           const serf_ssl_certificate_t *issuer_cert,
+           serf_bucket_t **req_bkt,
+           apr_pool_t *pool);
+
+   Constructs an OCSP verification request for @a server_cert
+   with issuer certificate @a issuer_cert and sets the required
+   headers on @a request, returning the request bucket @a req_bkt.
+
+4. serf_ocsp_response_parse()
+
+   TBD: Parse an OCSP response.

Propchange: serf/branches/ocsp-verification/BRANCH-README
------------------------------------------------------------------------------
    svn:eol-style = native