httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: silly ab patch for SNI and OCSP stapling
Date Tue, 12 May 2015 19:35:29 GMT
+1, to both! Thanks.

On Tue, May 12, 2015 at 9:31 PM, Jeff Trawick <trawick@gmail.com> wrote:
> ... where "OCSP stapling" means "get the server to do the related work but
> don't care what you get back".
>
> Perhaps this doesn't save any time for anybody that would want to test such
> a thing, but who knows?
>
> Index: support/ab.c
> ===================================================================
> --- support/ab.c    (revision 1679028)
> +++ support/ab.c    (working copy)
> @@ -1287,6 +1287,8 @@
>          bio = BIO_new_socket(fd, BIO_NOCLOSE);
>          SSL_set_bio(c->ssl, bio, bio);
>          SSL_set_connect_state(c->ssl);
> +        SSL_set_tlsext_host_name(c->ssl, hostname);
> +        SSL_set_tlsext_status_type(c->ssl, TLSEXT_STATUSTYPE_ocsp);
>          if (verbosity >= 4) {
>              BIO_set_callback(bio, ssl_print_cb);
>              BIO_set_callback_arg(bio, (void *)bio_err);
>
> The lack of SNI is a pretty big hole now; it probably doesn't need much
> extra in the way of #if/if to do the right thing.
>

Mime
View raw message