1# 2# OCSP verfication of certs obtained from SSL sites 3# 4globals 5certNetFetchEnable = false 6useSystemAnchors = true 7allowUnverified = true 8# alternate these two on successful runs, flip either one for failure 9requireOcspIfPresent = false 10requireOcspForAll = false 11cacheDisable = false 12end 13### 14### all these (until further notice) do OCSP via ocsp.verisign.com 15### 16echo "=================================" 17test = "www.amazon.com" 18revokePolicy = ocsp 19cert = amazon_v3.100.cer 20cert = amazon_v3.101.cer 21sslHost = www.amazon.com 22requireOcspIfPresent = true 23end 24echo "=================================" 25test = "www.cduniverse.com" 26revokePolicy = ocsp 27cert = cduniverse_v3.100.cer 28cert = cduniverse_v3.101.cer 29sslHost = www.cduniverse.com 30requireOcspForAll = false 31end 32echo "=================================" 33test = "store.apple.com, allowing unverified" 34revokePolicy = ocsp 35# leaf has ocsp accessMethod in AIA, intermediate doesn't 36requireOcspIfPresent = true 37cert = apple_v3.100.cer 38cert = apple_v3.101.cer 39sslHost = store.apple.com 40certerror = 1:APPLETP_OCSP_UNAVAILABLE 41end 42echo "=================================" 43test = "store.apple.com, require OCSP if present" 44revokePolicy = ocsp 45# leaf has ocsp accessMethod in AIA, intermediate doesn't 46requireOcspIfPresent = true 47cert = apple_v3.100.cer 48cert = apple_v3.101.cer 49sslHost = store.apple.com 50certerror = 1:APPLETP_OCSP_UNAVAILABLE 51end 52echo "=================================" 53test = "store.apple.com, require OCSP for all, fail" 54revokePolicy = ocsp 55# leaf has ocsp accessMethod in AIA, intermediate doesn't 56requireOcspForAll = true 57cert = apple_v3.100.cer 58cert = apple_v3.101.cer 59sslHost = store.apple.com 60certerror = 1:APPLETP_OCSP_UNAVAILABLE 61error = APPLETP_OCSP_UNAVAILABLE 62end 63echo "=================================" 64test = "store.apple.com, require OCSP if present, disable net, fail" 65revokePolicy = ocsp 66# leaf has ocsp accessMethod in AIA, intermediate doesn't 67requireOcspIfPresent = true 68ocspNetFetchDisable = true 69cacheDisable = true 70cert = apple_v3.100.cer 71cert = apple_v3.101.cer 72sslHost = store.apple.com 73certerror = 1:APPLETP_OCSP_UNAVAILABLE 74error = APPLETP_OCSP_UNAVAILABLE 75end 76echo "=================================" 77test = "www.verisign.com" 78revokePolicy = ocsp 79# leaf has ocsp accessMethod in AIA, 2nd intermediate doesn't 80cert = verisign_v3.100.cer 81cert = verisign_v3.101.cer 82cert = verisign_v3.102.cer 83sslHost = www.verisign.com 84certerror = 2:APPLETP_OCSP_UNAVAILABLE 85end 86echo "=================================" 87test = "accounts.key.com" 88revokePolicy = ocsp 89# leaf has ocsp accessMethod in AIA, intermediate doesn't 90cert = keybank_v3.100.cer 91cert = keybank_v3.101.cer 92# 93# This one is the root, which SSL server sent us. 94# Leave it in for variety. 95# 96cert = keybank_v3.102.cer 97sslHost = accounts.key.com 98certerror = 1:APPLETP_OCSP_UNAVAILABLE 99end 100echo "=================================" 101test = "secure.authorize.net" 102revokePolicy = ocsp 103# This started working on 10/19/07. 104# The intermedaite has had an AIA for a while - maybe the URL it 105# pointed to just didn't work before today? 106# OLD COMMENT -- leaf has ocsp accessMethod in AIA, intermediate doesn't 107cert = secauth_v3.100.cer 108cert = secauth_v3.101.cer 109sslHost = secure.authorize.net 110# deleted 10/19/07 certerror = 1:APPLETP_OCSP_UNAVAILABLE 111end 112### 113### OCSP via ocsp.thawte.com 114### 115# proteron deleted 116# 117# misc. others 118# 119echo "=================================" 120test = "www.wellsfargo.com" 121revokePolicy = ocsp 122requireOcspIfPresent = true 123cert = wellsfargo_v3.100.cer 124cert = wellsfargo_v3.101.cer 125sslHost = www.wellsfargo.com 126end 127echo "=================================" 128test = "www.certum.pl" 129revokePolicy = ocsp 130requireOcspIfPresent = true 131cert = certum_v3.100.cer 132cert = certum_v3.101.cer 133sslHost = www.certum.pl 134# this, because we don't have the root, instead of APPLETP_OCSP_BAD_RESPONSE 135# which Radar 4158052 causes 136error = TP_NOT_TRUSTED 137end 138