From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sun, 24 Mar 2013 21:49:12 +0000 (+0000)
Subject: OCSP-stapling enhancement and testing.
X-Git-Tag: exim-4_82_RC1~44^2~1
X-Git-Url: https://git.exim.org/users/heiko/exim.git/commitdiff_plain/f5d786885721c374cc22a1f1311ca01408a496fd?hp=f5d786885721c374cc22a1f1311ca01408a496fd

OCSP-stapling enhancement and testing.

Server:
  Honor environment variable as well as running_in_test_harness in permitting bogus staplings
  Update server tests
  Add "-ocsp" option to client-ssl.
  Server side: add verification of stapled status.
  First cut server-mode ocsp testing.
  Fix some uninitialized ocsp-related data.

Client (new):
  Verify stapling using only the chain that verified the server cert, not any acceptable chain.
  Add check for multiple responses in a stapling, which is not handled
  Refuse verification on expired and revoking staplings.
  Handle OCSP client refusal on lack of stapling from server.
  More fixing in client OCSP: use the server cert signing chain to verify the OCSP info.
  Add transport hosts_require_ocsp option.
  Log stapling responses.
  Start on tests for client-side.

Testing support:
    Add CRL generation code and documentation update
    Initial CA & certificate set for testing.

BUGFIX:
    Once a single OCSP response has been extracted the validation
    routine return code is no longer about the structure, but the actual
    returned OCSP status.
---