# # OCSP verfication of certs obtained from SSL sites # globals certNetFetchEnable = false useSystemAnchors = true allowUnverified = true # alternate these two on successful runs, flip either one for failure requireOcspIfPresent = false requireOcspForAll = false cacheDisable = false end ### ### all these (until further notice) do OCSP via ocsp.verisign.com ### echo "=================================" test = "www.amazon.com" revokePolicy = ocsp cert = amazon_v3.100.cer cert = amazon_v3.101.cer sslHost = www.amazon.com requireOcspIfPresent = true end echo "=================================" test = "www.cduniverse.com" revokePolicy = ocsp cert = cduniverse_v3.100.cer cert = cduniverse_v3.101.cer sslHost = www.cduniverse.com requireOcspForAll = false end echo "=================================" test = "store.apple.com, allowing unverified" revokePolicy = ocsp # leaf has ocsp accessMethod in AIA, intermediate doesn't requireOcspIfPresent = true cert = apple_v3.100.cer cert = apple_v3.101.cer sslHost = store.apple.com certerror = 1:APPLETP_OCSP_UNAVAILABLE end echo "=================================" test = "store.apple.com, require OCSP if present" revokePolicy = ocsp # leaf has ocsp accessMethod in AIA, intermediate doesn't requireOcspIfPresent = true cert = apple_v3.100.cer cert = apple_v3.101.cer sslHost = store.apple.com certerror = 1:APPLETP_OCSP_UNAVAILABLE end echo "=================================" test = "store.apple.com, require OCSP for all, fail" revokePolicy = ocsp # leaf has ocsp accessMethod in AIA, intermediate doesn't requireOcspForAll = true cert = apple_v3.100.cer cert = apple_v3.101.cer sslHost = store.apple.com certerror = 1:APPLETP_OCSP_UNAVAILABLE error = APPLETP_OCSP_UNAVAILABLE end echo "=================================" test = "store.apple.com, require OCSP if present, disable net, fail" revokePolicy = ocsp # leaf has ocsp accessMethod in AIA, intermediate doesn't requireOcspIfPresent = true ocspNetFetchDisable = true cacheDisable = true cert = apple_v3.100.cer cert = apple_v3.101.cer sslHost = store.apple.com certerror = 1:APPLETP_OCSP_UNAVAILABLE error = APPLETP_OCSP_UNAVAILABLE end echo "=================================" test = "www.verisign.com" revokePolicy = ocsp # leaf has ocsp accessMethod in AIA, 2nd intermediate doesn't cert = verisign_v3.100.cer cert = verisign_v3.101.cer cert = verisign_v3.102.cer sslHost = www.verisign.com certerror = 2:APPLETP_OCSP_UNAVAILABLE end echo "=================================" test = "accounts.key.com" revokePolicy = ocsp # leaf has ocsp accessMethod in AIA, intermediate doesn't cert = keybank_v3.100.cer cert = keybank_v3.101.cer # # This one is the root, which SSL server sent us. # Leave it in for variety. # cert = keybank_v3.102.cer sslHost = accounts.key.com certerror = 1:APPLETP_OCSP_UNAVAILABLE end echo "=================================" test = "secure.authorize.net" revokePolicy = ocsp # This started working on 10/19/07. # The intermedaite has had an AIA for a while - maybe the URL it # pointed to just didn't work before today? # OLD COMMENT -- leaf has ocsp accessMethod in AIA, intermediate doesn't cert = secauth_v3.100.cer cert = secauth_v3.101.cer sslHost = secure.authorize.net # deleted 10/19/07 certerror = 1:APPLETP_OCSP_UNAVAILABLE end ### ### OCSP via ocsp.thawte.com ### # proteron deleted # # misc. others # echo "=================================" test = "www.wellsfargo.com" revokePolicy = ocsp requireOcspIfPresent = true cert = wellsfargo_v3.100.cer cert = wellsfargo_v3.101.cer sslHost = www.wellsfargo.com end echo "=================================" test = "www.certum.pl" revokePolicy = ocsp requireOcspIfPresent = true cert = certum_v3.100.cer cert = certum_v3.101.cer sslHost = www.certum.pl # this, because we don't have the root, instead of APPLETP_OCSP_BAD_RESPONSE # which Radar 4158052 causes error = TP_NOT_TRUSTED end