Index: net/tools/testserver/testserver.py |
diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py |
index 83c14d638d33219009b0c7baa176107e80e44131..675f271cf5334a2f428d0c03179e214489d69c66 100755 |
--- a/net/tools/testserver/testserver.py |
+++ b/net/tools/testserver/testserver.py |
@@ -128,7 +128,8 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn, |
def __init__(self, server_address, request_hander_class, pem_cert_and_key, |
ssl_client_auth, ssl_client_cas, ssl_bulk_ciphers, |
- record_resume_info, tls_intolerant, signed_cert_timestamps): |
+ record_resume_info, tls_intolerant, |
+ signed_cert_timestamps, ocsp_response): |
self.cert_chain = tlslite.api.X509CertChain().parseChain(pem_cert_and_key) |
# Force using only python implementation - otherwise behavior is different |
# depending on whether m2crypto Python module is present (error is thrown |
@@ -141,6 +142,7 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn, |
self.ssl_client_cas = [] |
self.tls_intolerant = tls_intolerant |
self.signed_cert_timestamps = signed_cert_timestamps |
+ self.ocsp_response = ocsp_response |
for ca_file in ssl_client_cas: |
s = open(ca_file).read() |
@@ -174,7 +176,8 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn, |
reqCAs=self.ssl_client_cas, |
tlsIntolerant=self.tls_intolerant, |
signedCertTimestamps= |
- self.signed_cert_timestamps) |
+ self.signed_cert_timestamps, |
+ OCSPResponse = self.ocsp_response) |
wtc
2013/12/03 21:04:25
Nit: should "OCSPResponse" start in lowercase "ocs
ekasper
2013/12/04 19:25:15
Done.
|
tlsConnection.ignoreAbruptClose = True |
return True |
except tlslite.api.TLSAbruptCloseError: |
@@ -1886,6 +1889,7 @@ class ServerRunner(testserver_base.TestServerRunner): |
def create_server(self, server_data): |
port = self.options.port |
host = self.options.host |
+ ocsp_der = None |
if self.options.server_type == SERVER_HTTP: |
if self.options.https: |
@@ -1902,7 +1906,6 @@ class ServerRunner(testserver_base.TestServerRunner): |
print ('OCSP server started on %s:%d...' % |
(host, self.__ocsp_server.server_port)) |
- ocsp_der = None |
ocsp_state = None |
if self.options.ocsp == 'ok': |
@@ -1924,7 +1927,12 @@ class ServerRunner(testserver_base.TestServerRunner): |
ocsp_url = ("http://%s:%d/ocsp" % |
(host, self.__ocsp_server.server_port)), |
ocsp_state = ocsp_state, |
- serial = self.options.cert_serial) |
+ serial = self.options.cert_serial, |
+ # Signed Certificate Timestamps are only accepted in a stapled |
+ # response: when included in a non-stapled response, the client |
+ # will simply ignore the extension. |
wtc
2013/12/03 21:04:25
Is this comment true? If I get an OCSP response fr
ekasper
2013/12/04 19:25:15
I've reverted the extension code here as the testi
|
+ sct_extension = ( |
+ self.options.signed_cert_timestamps_ocsp.decode("base64"))) |
self.__ocsp_server.ocsp_response = ocsp_der |
@@ -1933,14 +1941,16 @@ class ServerRunner(testserver_base.TestServerRunner): |
raise testserver_base.OptionError( |
'specified trusted client CA file not found: ' + ca_cert + |
' exiting...') |
+ |
server = HTTPSServer((host, port), TestPageHandler, pem_cert_and_key, |
self.options.ssl_client_auth, |
self.options.ssl_client_ca, |
self.options.ssl_bulk_cipher, |
self.options.record_resume, |
self.options.tls_intolerant, |
- self.options.signed_cert_timestamps.decode( |
- "base64")) |
+ self.options.signed_cert_timestamps_tls_ext.decode( |
+ "base64"), |
+ ocsp_der) |
wtc
2013/12/03 21:04:25
Should we use self.__ocsp_server.ocsp_response her
ekasper
2013/12/04 19:25:15
Changed.
|
print 'HTTPS server started on %s:%d...' % (host, server.server_port) |
else: |
server = HTTPServer((host, port), TestPageHandler) |
@@ -2078,13 +2088,20 @@ class ServerRunner(testserver_base.TestServerRunner): |
'aborted. 2 means TLS 1.1 or higher will be ' |
'aborted. 3 means TLS 1.2 or higher will be ' |
'aborted.') |
- self.option_parser.add_option('--signed-cert-timestamps', |
- dest='signed_cert_timestamps', |
+ self.option_parser.add_option('--signed-cert-timestamps-tls-ext', |
+ dest='signed_cert_timestamps_tls_ext', |
default='', |
help='Base64 encoded SCT list. If set, ' |
'server will respond with a ' |
'signed_certificate_timestamp TLS extension ' |
'whenever the client supports it.') |
+ self.option_parser.add_option('--signed-cert-timestamps-ocsp', |
+ dest='signed_cert_timestamps_ocsp', |
+ default='', |
+ help='Base64 encoded SCT list. If set, ' |
+ 'server will include the list in a stapled ' |
+ 'OCSP response whenever the client supports ' |
+ 'OCSP stapling.') |
self.option_parser.add_option('--https-record-resume', |
dest='record_resume', const=True, |
default=False, action='store_const', |