# 
# OCSP verfication of certs obtained from SSL sites
#
globals
certNetFetchEnable = false
useSystemAnchors = true
allowUnverified = true
# alternate these two on successful runs, flip either one for failure
requireOcspIfPresent = false
requireOcspForAll = false
cacheDisable = false
end
###
### all these (until further notice) do OCSP via ocsp.verisign.com
###
echo "================================="
test = "www.amazon.com"
revokePolicy = ocsp
cert = amazon_v3.100.cer
cert = amazon_v3.101.cer
sslHost = www.amazon.com
requireOcspIfPresent = true
end
echo "================================="
test = "www.cduniverse.com"
revokePolicy = ocsp
cert = cduniverse_v3.100.cer
cert = cduniverse_v3.101.cer
sslHost = www.cduniverse.com
requireOcspForAll = false
end
echo "================================="
test = "store.apple.com, allowing unverified"
revokePolicy = ocsp
# leaf has ocsp accessMethod in AIA, intermediate doesn't
requireOcspIfPresent = true
cert = apple_v3.100.cer
cert = apple_v3.101.cer
sslHost = store.apple.com
certerror = 1:APPLETP_OCSP_UNAVAILABLE
end
echo "================================="
test = "store.apple.com, require OCSP if present"
revokePolicy = ocsp
# leaf has ocsp accessMethod in AIA, intermediate doesn't
requireOcspIfPresent = true
cert = apple_v3.100.cer
cert = apple_v3.101.cer
sslHost = store.apple.com
certerror = 1:APPLETP_OCSP_UNAVAILABLE
end
echo "================================="
test = "store.apple.com, require OCSP for all, fail"
revokePolicy = ocsp
# leaf has ocsp accessMethod in AIA, intermediate doesn't
requireOcspForAll = true
cert = apple_v3.100.cer
cert = apple_v3.101.cer
sslHost = store.apple.com
certerror = 1:APPLETP_OCSP_UNAVAILABLE
error = APPLETP_OCSP_UNAVAILABLE
end
echo "================================="
test = "store.apple.com, require OCSP if present, disable net, fail"
revokePolicy = ocsp
# leaf has ocsp accessMethod in AIA, intermediate doesn't
requireOcspIfPresent = true
ocspNetFetchDisable = true
cacheDisable = true
cert = apple_v3.100.cer
cert = apple_v3.101.cer
sslHost = store.apple.com
certerror = 1:APPLETP_OCSP_UNAVAILABLE
error = APPLETP_OCSP_UNAVAILABLE
end
echo "================================="
test = "www.verisign.com"
revokePolicy = ocsp
# leaf has ocsp accessMethod in AIA, 2nd intermediate doesn't
cert = verisign_v3.100.cer
cert = verisign_v3.101.cer
cert = verisign_v3.102.cer
sslHost = www.verisign.com
certerror = 2:APPLETP_OCSP_UNAVAILABLE
end
echo "================================="
test = "accounts.key.com"
revokePolicy = ocsp
# leaf has ocsp accessMethod in AIA, intermediate doesn't
cert = keybank_v3.100.cer
cert = keybank_v3.101.cer
#
# This one is the root, which SSL server sent us. 
# Leave it in for variety.
#
cert = keybank_v3.102.cer
sslHost = accounts.key.com
certerror = 1:APPLETP_OCSP_UNAVAILABLE
end
echo "================================="
test = "secure.authorize.net"
revokePolicy = ocsp
# This started working on 10/19/07.
# The intermedaite has had an AIA for a while - maybe the URL it 
# pointed to just didn't work before today?
# OLD COMMENT -- leaf has ocsp accessMethod in AIA, intermediate doesn't
cert = secauth_v3.100.cer
cert = secauth_v3.101.cer
sslHost = secure.authorize.net
# deleted 10/19/07 certerror = 1:APPLETP_OCSP_UNAVAILABLE
end
###
### OCSP via ocsp.thawte.com
###
#  proteron deleted 
#
# misc. others
#
echo "================================="
test = "www.wellsfargo.com"
revokePolicy = ocsp
requireOcspIfPresent = true
cert = wellsfargo_v3.100.cer
cert = wellsfargo_v3.101.cer
sslHost = www.wellsfargo.com
end
echo "================================="
test = "www.certum.pl"
revokePolicy = ocsp
requireOcspIfPresent = true
cert = certum_v3.100.cer
cert = certum_v3.101.cer
sslHost = www.certum.pl
# this, because we don't have the root, instead of APPLETP_OCSP_BAD_RESPONSE
# which Radar 4158052 causes
error = TP_NOT_TRUSTED
end