1# 2# OCSP verfication of certs obtained from SSL sites 3# 4globals 5certNetFetchEnable = false 6useSystemAnchors = true 7# alternate these two on successful runs, flip either one for failure 8allowUnverified = true 9requireOcspIfPresent = false 10cacheDisable = false 11end 12### 13### all these (until further notice) do OCSP via ocsp.verisign.com 14### 15echo "=================================" 16test = "www.amazon.com" 17revokePolicy = ocsp 18cert = amazon_v3.100.cer 19sslHost = www.amazon.com 20requireOcspIfPresent = true 21end 22echo "=================================" 23test = "www.cduniverse.com" 24revokePolicy = ocsp 25cert = cduniverse_v3.000.cer 26sslHost = www.cduniverse.com 27allowUnverified = false 28end 29echo "=================================" 30test = "store.apple.com, allowing unverified" 31revokePolicy = ocsp 32# leaf has ocsp accessMethod in AIA, intermediate doesn't 33allowUnverified = true 34cert = apple_v3.000.cer 35cert = apple_v3.001.cer 36sslHost = store.apple.com 37certerror = 1:APPLETP_OCSP_UNAVAILABLE 38end 39echo "=================================" 40test = "store.apple.com, require OCSP if present" 41revokePolicy = ocsp 42# leaf has ocsp accessMethod in AIA, intermediate doesn't 43requireOcspIfPresent = true 44cert = apple_v3.000.cer 45cert = apple_v3.001.cer 46sslHost = store.apple.com 47certerror = 1:APPLETP_OCSP_UNAVAILABLE 48end 49echo "=================================" 50test = "store.apple.com, require OCSP for all, fail" 51revokePolicy = ocsp 52# leaf has ocsp accessMethod in AIA, intermediate doesn't 53allowUnverified = false 54cert = apple_v3.000.cer 55cert = apple_v3.001.cer 56sslHost = store.apple.com 57certerror = 1:APPLETP_OCSP_UNAVAILABLE 58error = APPLETP_OCSP_UNAVAILABLE 59end 60echo "=================================" 61test = "store.apple.com, require OCSP if present, disable net, fail" 62revokePolicy = ocsp 63# leaf has ocsp accessMethod in AIA, intermediate doesn't 64requireOcspIfPresent = true 65ocspNetFetchDisable = true 66cacheDisable = true 67cert = apple_v3.000.cer 68cert = apple_v3.001.cer 69sslHost = store.apple.com 70certerror = 1:APPLETP_OCSP_UNAVAILABLE 71error = APPLETP_OCSP_UNAVAILABLE 72end 73echo "=================================" 74test = "www.verisign.com" 75revokePolicy = ocsp 76# leaf has ocsp accessMethod in AIA, intermediate doesn't 77allowUnverified = true 78cert = verisign_v3.100.cer 79cert = verisign_v3.101.cer 80# 81# This one is the root, which SSL server sent us. 82# Leave it in for variety. 83# 84cert = verisign_v3.102.cer 85sslHost = www.verisign.com 86certerror = 1:APPLETP_OCSP_UNAVAILABLE 87end 88echo "=================================" 89test = "accounts2.keybank.com" 90revokePolicy = ocsp 91# leaf has ocsp accessMethod in AIA, intermediate doesn't 92allowUnverified = true 93cert = keybank_v3.100.cer 94cert = keybank_v3.101.cer 95# 96# This one is the root, which SSL server sent us. 97# Leave it in for variety. 98# 99cert = keybank_v3.102.cer 100sslHost = accounts2.keybank.com 101certerror = 1:APPLETP_OCSP_UNAVAILABLE 102end 103echo "=================================" 104test = "secure.authorize.net" 105revokePolicy = ocsp 106# leaf has ocsp accessMethod in AIA, intermediate doesn't 107allowUnverified = true 108cert = secauth_v3.100.cer 109cert = secauth_v3.101.cer 110sslHost = secure.authorize.net 111certerror = 1:APPLETP_OCSP_UNAVAILABLE 112end 113### 114### OCSP via ocsp.thawte.com 115### 116echo "=================================" 117test = "www.proteron.com" 118revokePolicy = ocsp 119requireOcspIfPresent = true 120cert = proteron_v3.100.cer 121sslHost = www.proteron.com 122end 123# 124# misc. others 125# 126echo "=================================" 127test = "www.wellsfargo.com" 128revokePolicy = ocsp 129requireOcspIfPresent = true 130cert = wellsfargo_v3.100.cer 131cert = wellsfargo_v3.101.cer 132sslHost = www.wellsfargo.com 133end 134echo "=================================" 135test = "www.certum.pl" 136revokePolicy = ocsp 137requireOcspIfPresent = true 138cert = certum_v3.100.cer 139cert = certum_v3.101.cer 140sslHost = www.certum.pl 141# this, because we don't have the root, instead of APPLETP_OCSP_BAD_RESPONSE 142# which Radar 4158052 causes 143error = TP_NOT_TRUSTED 144end 145