httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <>
Subject Re: silly ab patch for SNI and OCSP stapling
Date Sat, 16 May 2015 14:39:20 GMT
+1, but I would also propose a command line flag to override the SNI host name supplied in
case one is testing directly by IP address.
Daniel Ruggeri

-------- Original Message --------
From: Jeff Trawick <>
Sent: May 12, 2015 2:31:37 PM CDT
To: Apache HTTP Server Development List <>
Subject: silly ab patch for SNI and OCSP stapling

... where "OCSP stapling" means "get the server to do the related work 
but don't care what you get back".

Perhaps this doesn't save any time for anybody that would want to test 
such a thing, but who knows?

Index: support/ab.c
--- support/ab.c    (revision 1679028)
+++ support/ab.c    (working copy)
@@ -1287,6 +1287,8 @@
          bio = BIO_new_socket(fd, BIO_NOCLOSE);
          SSL_set_bio(c->ssl, bio, bio);
+        SSL_set_tlsext_host_name(c->ssl, hostname);
+        SSL_set_tlsext_status_type(c->ssl, TLSEXT_STATUSTYPE_ocsp);
          if (verbosity >= 4) {
              BIO_set_callback(bio, ssl_print_cb);
              BIO_set_callback_arg(bio, (void *)bio_err);

The lack of SNI is a pretty big hole now; it probably doesn't need much 
extra in the way of #if/if to do the right thing.

View raw message