Closed Bug 741870 Opened 13 years ago Closed 13 years ago

Update OCSP server testing

Categories

(NSS :: Test, defect, P2)

Product:
NSS
Component:
Test
Version:
3.13.3
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

Attachments

(2 files, 2 obsolete files)

zip file, new certs
16.50 KB, application/octet-stream
Details
Patch v3
1.59 KB, patch
rrelyea
: review+
Details | Diff | Splinter Review
We currently don't have coverage for the nss/tests/chains test scenario ocsp.cfg All tinderboxes complain about OCSP server not accessible, skipping OCSP tests (this is expected, as the old OCSP server is behind a corporate firewall, or even no longer maintained. I've set up a new OCSP server on http://ocsp.kuix.de (ports 2600-2603). I've documented the steps to get this done at https://wiki.mozilla.org/NSS:TestSuiteOCSPServer In order to make our test suite use the new server, we must check in updated certificates to NSS. I will attach a zip with those certs. In addition, it was necessary to adjust the script for generation, I'll attach a patch for that.
Blocks: 741873
Depends on: 741962
Attached file zip file, new certs
Comment on attachment 611887 [details] zip file, new certs The contents of this zip file should be copied to mozilla/security/nss/tests/libpkix/certs (overwriting the existing files that refer to a server behind a firewall).
ocspd-certs.sh needs this fix, to make extraction of private key from p12 work again (using the openssl tool).
better patch
Assignee: nobody → kaie
Attachment #611909 - Attachment is obsolete: true
The NSS testsuite should be self-contained--i.e. any servers that are needed should be run locally (on the same host doing the tests) so that no working network is required. It seems like it would be possible to get that to happen on Linux, but it seems like it will be difficult to get a full OpenCA OCSP server to run on Windows client machines. Also, your attachment contains a bunch of certificates, but what about the script that creates those certificates? Shouldn't the chains tests be creating the certs?
(In reply to Brian Smith (:bsmith) from comment #5) > The NSS testsuite should be self-contained--i.e. any servers that are needed > should be run locally (on the same host doing the tests) so that no working > network is required. Should should should... Please file a separate bug for your proposal. This bug is about getting to work what we have. > Also, your attachment contains a bunch of certificates, but what about the > script that creates those certificates? Shouldn't the chains tests be > creating the certs? They are in the .zip file attachment. (the patch was intended to not list them, forgot to clean up the patch file)
Attached patch Patch v3Splinter Review
This patch also fixes the configuration file. It took me a while to figure out this additional configuration to make the ocsp server actually work (and return status "good" instead of status "unknown").
Attachment #611913 - Attachment is obsolete: true
Comment on attachment 611887 [details] zip file, new certs Bob, checking in these certificates is sufficient to get OCSP server testing enabled again.
Attachment #611887 - Flags: review?(rrelyea)
Comment on attachment 611993 [details] [diff] [review] Patch v3 This patch fixes the scripts that are used to prepare the certificates for use against the OCSP server. The script is not part of the build. It's only invoked manually when there is a need to use new certificates.
Attachment #611993 - Flags: review?(rrelyea)
Comment on attachment 611887 [details] zip file, new certs Checked in without review. I have inspected the most recent test output found on tinderbox. I can see that the last remaining and functioning build machine provided by Sun still successully used an internal OCSP server. I can see that any other build machines skipped the OCSP tests. To check yourself, search the logs for: dochinups I'll watch the next rounds of tinderbox log output, to ensure that the tests are being successfully ran on each of the machines. Checking in OCSPCA1.cert; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA1.cert,v <-- OCSPCA1.cert new revision: 1.6; previous revision: 1.5 done Checking in OCSPCA1.p12; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA1.p12,v <-- OCSPCA1.p12 new revision: 1.7; previous revision: 1.6 done Checking in OCSPCA2.cert; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA2.cert,v <-- OCSPCA2.cert new revision: 1.6; previous revision: 1.5 done Checking in OCSPCA2.p12; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA2.p12,v <-- OCSPCA2.p12 new revision: 1.6; previous revision: 1.5 done Checking in OCSPCA3.cert; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA3.cert,v <-- OCSPCA3.cert new revision: 1.6; previous revision: 1.5 done Checking in OCSPCA3.p12; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA3.p12,v <-- OCSPCA3.p12 new revision: 1.6; previous revision: 1.5 done Checking in OCSPEE11.cert; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE11.cert,v <-- OCSPEE11.cert new revision: 1.6; previous revision: 1.5 done Checking in OCSPEE12.cert; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE12.cert,v <-- OCSPEE12.cert new revision: 1.6; previous revision: 1.5 done Checking in OCSPEE13.cert; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE13.cert,v <-- OCSPEE13.cert new revision: 1.6; previous revision: 1.5 done Checking in OCSPEE14.cert; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE14.cert,v <-- OCSPEE14.cert new revision: 1.6; previous revision: 1.5 done Checking in OCSPEE15.cert; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE15.cert,v <-- OCSPEE15.cert new revision: 1.6; previous revision: 1.5 done Checking in OCSPEE21.cert; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE21.cert,v <-- OCSPEE21.cert new revision: 1.6; previous revision: 1.5 done Checking in OCSPEE22.cert; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE22.cert,v <-- OCSPEE22.cert new revision: 1.6; previous revision: 1.5 done Checking in OCSPEE23.cert; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE23.cert,v <-- OCSPEE23.cert new revision: 1.6; previous revision: 1.5 done Checking in OCSPEE31.cert; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE31.cert,v <-- OCSPEE31.cert new revision: 1.6; previous revision: 1.5 done Checking in OCSPEE32.cert; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE32.cert,v <-- OCSPEE32.cert new revision: 1.6; previous revision: 1.5 done Checking in OCSPEE33.cert; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE33.cert,v <-- OCSPEE33.cert new revision: 1.6; previous revision: 1.5 done Checking in OCSPRoot.cert; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPRoot.cert,v <-- OCSPRoot.cert new revision: 1.4; previous revision: 1.3 done Checking in OCSPRoot.p12; /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPRoot.p12,v <-- OCSPRoot.p12 new revision: 1.4; previous revision: 1.3 done
Attachment #611887 - Flags: review?(rrelyea)
Comment on attachment 611993 [details] [diff] [review] Patch v3 r+ rrelyea
Attachment #611993 - Flags: review?(rrelyea) → review+
Checking in ocspd-config/ocspd-certs.sh; /cvsroot/mozilla/security/nss/tests/chains/ocspd-config/ocspd-certs.sh,v <-- ocspd-certs.sh new revision: 1.3; previous revision: 1.2 done Checking in ocspd-config/ocspd.conf.template; /cvsroot/mozilla/security/nss/tests/chains/ocspd-config/ocspd.conf.template,v <-- ocspd.conf.template new revision: 1.2; previous revision: 1.1 done
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.13.5
OS: Linux → All
Priority: -- → P2
Hardware: x86 → All
Target Milestone: 3.13.5 → 3.14
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: