[thirdparty/pdns.git] / regression-tests.dnsdist / test_OCSP.py

#!/usr/bin/env python
import base64
import dns
import os
import subprocess
import unittest
from dnsdisttests import DNSDistTest, pickAvailablePort

class DNSDistOCSPStaplingTest(DNSDistTest):

    @classmethod
    def checkOCSPStaplingStatus(cls, addr, port, serverName, caFile):
        testcmd = ['openssl', 's_client', '-CAfile', caFile, '-connect', '%s:%d' % (addr, port), '-status', '-servername', serverName ]
        output = None
        try:
            process = subprocess.Popen(testcmd, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True)
            output = process.communicate(input='')
        except subprocess.CalledProcessError as exc:
            raise AssertionError('openssl s_client failed (%d): %s' % (exc.returncode, exc.output))

        return output[0].decode()

    @classmethod
    def getOCSPSerial(cls, output):
        serialNumber = None
        for line in output.splitlines():
            line = line.strip()
            print(line)
            if line.startswith('Serial Number:'):
                (_, serialNumber) = line.split(':')
                break

        return serialNumber

    def getTLSProvider(self):
        return self.sendConsoleCommand("getBind(0):getEffectiveTLSProvider()").rstrip()

@unittest.skipIf('SKIP_DOH_TESTS' in os.environ, 'DNS over HTTPS tests are disabled')
class TestOCSPStaplingDOH(DNSDistOCSPStaplingTest):

    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverKey = 'server.key'
    _serverCert = 'server.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _ocspFile = 'server.ocsp'
    _caCert = 'ca.pem'
    _caKey = 'ca.key'
    _dohServerPort = pickAvailablePort()
    _config_template = """
    newServer{address="127.0.0.1:%s"}
    setKey("%s")
    controlSocket("127.0.0.1:%s")

    -- generate an OCSP response file for our certificate, valid one day
    generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
    addDOHLocal("127.0.0.1:%s", "%s", "%s", { "/" }, { ocspResponses={"%s"}})
    """
    _config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_dohServerPort', '_serverCert', '_serverKey', '_ocspFile']

    @classmethod
    def setUpClass(cls):

        # for some reason, @unittest.skipIf() is not applied to derived classes with some versions of Python
        if 'SKIP_DOH_TESTS' in os.environ:
            raise unittest.SkipTest('DNS over HTTPS tests are disabled')

        cls.startResponders()
        cls.startDNSDist()
        cls.setUpSockets()

        print("Launching tests..")

    def testOCSPStapling(self):
        """
        OCSP Stapling: DOH
        """
        output = self.checkOCSPStaplingStatus('127.0.0.1', self._dohServerPort, self._serverName, self._caCert)
        self.assertIn('OCSP Response Status: successful (0x0)', output)

        serialNumber = self.getOCSPSerial(output)
        self.assertTrue(serialNumber)

        self.generateNewCertificateAndKey()
        self.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self._serverCert, self._caCert, self._caKey, self._ocspFile))
        self.sendConsoleCommand("reloadAllCertificates()")

        output = self.checkOCSPStaplingStatus('127.0.0.1', self._dohServerPort, self._serverName, self._caCert)
        self.assertIn('OCSP Response Status: successful (0x0)', output)
        serialNumber2 = self.getOCSPSerial(output)
        self.assertTrue(serialNumber2)
        self.assertNotEqual(serialNumber, serialNumber2)

class TestBrokenOCSPStaplingDoH(DNSDistOCSPStaplingTest):

    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverKey = 'server.key'
    _serverCert = 'server.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    # invalid OCSP file!
    _ocspFile = '/dev/null'
    _tlsServerPort = pickAvailablePort()
    _config_template = """
    newServer{address="127.0.0.1:%s"}
    setKey("%s")
    controlSocket("127.0.0.1:%s")

    addDOHLocal("127.0.0.1:%s", "%s", "%s", { "/" }, { ocspResponses={"%s"}})
    """
    _config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']

    def testBrokenOCSPStapling(self):
        """
        OCSP Stapling: Broken (DoH)
        """
        output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
        self.assertNotIn('OCSP Response Status: successful (0x0)', output)

class TestOCSPStaplingTLSGnuTLS(DNSDistOCSPStaplingTest):

    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverKey = 'server.key'
    _serverCert = 'server.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _ocspFile = 'server.ocsp'
    _caCert = 'ca.pem'
    _caKey = 'ca.key'
    _tlsServerPort = pickAvailablePort()
    _config_template = """
    newServer{address="127.0.0.1:%s"}
    setKey("%s")
    controlSocket("127.0.0.1:%s")

    -- generate an OCSP response file for our certificate, valid one day
    generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
    addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls", ocspResponses={"%s"}})
    """
    _config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']

    def testOCSPStapling(self):
        """
        OCSP Stapling: TLS (GnuTLS)
        """
        output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
        self.assertIn('OCSP Response Status: successful (0x0)', output)
        self.assertEqual(self.getTLSProvider(), "gnutls")

        serialNumber = self.getOCSPSerial(output)
        self.assertTrue(serialNumber)

        self.generateNewCertificateAndKey()
        self.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self._serverCert, self._caCert, self._caKey, self._ocspFile))
        self.sendConsoleCommand("reloadAllCertificates()")

        output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
        self.assertIn('OCSP Response Status: successful (0x0)', output)
        serialNumber2 = self.getOCSPSerial(output)
        self.assertTrue(serialNumber2)
        self.assertNotEqual(serialNumber, serialNumber2)

class TestBrokenOCSPStaplingTLSGnuTLS(DNSDistOCSPStaplingTest):

    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverKey = 'server.key'
    _serverCert = 'server.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    # invalid OCSP file!
    _ocspFile = '/dev/null'
    _tlsServerPort = pickAvailablePort()
    _config_template = """
    newServer{address="127.0.0.1:%s"}
    setKey("%s")
    controlSocket("127.0.0.1:%s")

    addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls", ocspResponses={"%s"}})
    """
    _config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']

    def testBrokenOCSPStapling(self):
        """
        OCSP Stapling: Broken (GnuTLS)
        """
        output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
        self.assertNotIn('OCSP Response Status: successful (0x0)', output)
        self.assertEqual(self.getTLSProvider(), "gnutls")

class TestOCSPStaplingTLSOpenSSL(DNSDistOCSPStaplingTest):

    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverKey = 'server.key'
    _serverCert = 'server.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _ocspFile = 'server.ocsp'
    _caCert = 'ca.pem'
    _caKey = 'ca.key'
    _tlsServerPort = pickAvailablePort()
    _config_template = """
    newServer{address="127.0.0.1:%s"}
    setKey("%s")
    controlSocket("127.0.0.1:%s")

    -- generate an OCSP response file for our certificate, valid one day
    generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
    addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", ocspResponses={"%s"}})
    """
    _config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']

    def testOCSPStapling(self):
        """
        OCSP Stapling: TLS (OpenSSL)
        """
        output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
        self.assertIn('OCSP Response Status: successful (0x0)', output)
        self.assertEqual(self.getTLSProvider(), "openssl")

        serialNumber = self.getOCSPSerial(output)
        self.assertTrue(serialNumber)

        self.generateNewCertificateAndKey()
        self.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self._serverCert, self._caCert, self._caKey, self._ocspFile))
        self.sendConsoleCommand("reloadAllCertificates()")

        output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
        self.assertIn('OCSP Response Status: successful (0x0)', output)
        serialNumber2 = self.getOCSPSerial(output)
        self.assertTrue(serialNumber2)
        self.assertNotEqual(serialNumber, serialNumber2)

class TestBrokenOCSPStaplingTLSOpenSSL(DNSDistOCSPStaplingTest):

    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverKey = 'server.key'
    _serverCert = 'server.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    # invalid OCSP file!
    _ocspFile = '/dev/null'
    _tlsServerPort = pickAvailablePort()
    _config_template = """
    newServer{address="127.0.0.1:%s"}
    setKey("%s")
    controlSocket("127.0.0.1:%s")

    addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", ocspResponses={"%s"}})
    """
    _config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']

    def testBrokenOCSPStapling(self):
        """
        OCSP Stapling: Broken (OpenSSL)
        """
        output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
        self.assertNotIn('OCSP Response Status: successful (0x0)', output)
        self.assertEqual(self.getTLSProvider(), "openssl")
Commit	Line	Data
8c15553e	1	#!/usr/bin/env python
1d896c34	2	import base64
8c15553e	3	import dns
13291274	4	import os
8c15553e	5	import subprocess
13291274	6	import unittest
630eb526	7	from dnsdisttests import DNSDistTest, pickAvailablePort
8c15553e RG	8
	9	class DNSDistOCSPStaplingTest(DNSDistTest):
	10
	11	@classmethod
	12	def checkOCSPStaplingStatus(cls, addr, port, serverName, caFile):
	13	testcmd = ['openssl', 's_client', '-CAfile', caFile, '-connect', '%s:%d' % (addr, port), '-status', '-servername', serverName ]
	14	output = None
	15	try:
	16	process = subprocess.Popen(testcmd, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True)
	17	output = process.communicate(input='')
	18	except subprocess.CalledProcessError as exc:
1d896c34	19	raise AssertionError('openssl s_client failed (%d): %s' % (exc.returncode, exc.output))
8c15553e RG	20
	21	return output[0].decode()
	22
1d896c34 RG	23	@classmethod
	24	def getOCSPSerial(cls, output):
	25	serialNumber = None
	26	for line in output.splitlines():
	27	line = line.strip()
	28	print(line)
	29	if line.startswith('Serial Number:'):
	30	(_, serialNumber) = line.split(':')
	31	break
	32
	33	return serialNumber
	34
98222dfc RG	35	def getTLSProvider(self):
	36	return self.sendConsoleCommand("getBind(0):getEffectiveTLSProvider()").rstrip()
	37
13291274	38	@unittest.skipIf('SKIP_DOH_TESTS' in os.environ, 'DNS over HTTPS tests are disabled')
8c15553e RG	39	class TestOCSPStaplingDOH(DNSDistOCSPStaplingTest):
8c15553e RG	40
1d896c34 RG	41	_consoleKey = DNSDistTest.generateConsoleKey()
1d896c34 RG	42	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
8c15553e RG	43	_serverKey = 'server.key'
	44	_serverCert = 'server.chain'
	45	_serverName = 'tls.tests.dnsdist.org'
	46	_ocspFile = 'server.ocsp'
	47	_caCert = 'ca.pem'
	48	_caKey = 'ca.key'
630eb526	49	_dohServerPort = pickAvailablePort()
8c15553e RG	50	_config_template = """
8c15553e RG	51	newServer{address="127.0.0.1:%s"}
1d896c34 RG	52	setKey("%s")
1d896c34 RG	53	controlSocket("127.0.0.1:%s")
8c15553e RG	54
	55	-- generate an OCSP response file for our certificate, valid one day
	56	generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
	57	addDOHLocal("127.0.0.1:%s", "%s", "%s", { "/" }, { ocspResponses={"%s"}})
	58	"""
1d896c34	59	_config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_dohServerPort', '_serverCert', '_serverKey', '_ocspFile']
8c15553e	60
13291274 RG	61	@classmethod
	62	def setUpClass(cls):
	63
	64	# for some reason, @unittest.skipIf() is not applied to derived classes with some versions of Python
	65	if 'SKIP_DOH_TESTS' in os.environ:
	66	raise unittest.SkipTest('DNS over HTTPS tests are disabled')
	67
	68	cls.startResponders()
	69	cls.startDNSDist()
	70	cls.setUpSockets()
	71
	72	print("Launching tests..")
	73
8c15553e RG	74	def testOCSPStapling(self):
	75	"""
	76	OCSP Stapling: DOH
	77	"""
	78	output = self.checkOCSPStaplingStatus('127.0.0.1', self._dohServerPort, self._serverName, self._caCert)
	79	self.assertIn('OCSP Response Status: successful (0x0)', output)
	80
1d896c34 RG	81	serialNumber = self.getOCSPSerial(output)
	82	self.assertTrue(serialNumber)
	83
	84	self.generateNewCertificateAndKey()
	85	self.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self._serverCert, self._caCert, self._caKey, self._ocspFile))
	86	self.sendConsoleCommand("reloadAllCertificates()")
	87
	88	output = self.checkOCSPStaplingStatus('127.0.0.1', self._dohServerPort, self._serverName, self._caCert)
	89	self.assertIn('OCSP Response Status: successful (0x0)', output)
	90	serialNumber2 = self.getOCSPSerial(output)
	91	self.assertTrue(serialNumber2)
4bfebc93	92	self.assertNotEqual(serialNumber, serialNumber2)
1d896c34	93
d1ce3058 RG	94	class TestBrokenOCSPStaplingDoH(DNSDistOCSPStaplingTest):
	95
	96	_consoleKey = DNSDistTest.generateConsoleKey()
	97	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
	98	_serverKey = 'server.key'
	99	_serverCert = 'server.chain'
	100	_serverName = 'tls.tests.dnsdist.org'
	101	_caCert = 'ca.pem'
	102	# invalid OCSP file!
	103	_ocspFile = '/dev/null'
630eb526	104	_tlsServerPort = pickAvailablePort()
d1ce3058 RG	105	_config_template = """
	106	newServer{address="127.0.0.1:%s"}
	107	setKey("%s")
	108	controlSocket("127.0.0.1:%s")
	109
	110	addDOHLocal("127.0.0.1:%s", "%s", "%s", { "/" }, { ocspResponses={"%s"}})
	111	"""
	112	_config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
	113
	114	def testBrokenOCSPStapling(self):
	115	"""
	116	OCSP Stapling: Broken (DoH)
	117	"""
	118	output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
	119	self.assertNotIn('OCSP Response Status: successful (0x0)', output)
	120
8c15553e RG	121	class TestOCSPStaplingTLSGnuTLS(DNSDistOCSPStaplingTest):
8c15553e RG	122
1d896c34 RG	123	_consoleKey = DNSDistTest.generateConsoleKey()
1d896c34 RG	124	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
8c15553e RG	125	_serverKey = 'server.key'
	126	_serverCert = 'server.chain'
	127	_serverName = 'tls.tests.dnsdist.org'
	128	_ocspFile = 'server.ocsp'
	129	_caCert = 'ca.pem'
	130	_caKey = 'ca.key'
630eb526	131	_tlsServerPort = pickAvailablePort()
8c15553e RG	132	_config_template = """
8c15553e RG	133	newServer{address="127.0.0.1:%s"}
1d896c34 RG	134	setKey("%s")
1d896c34 RG	135	controlSocket("127.0.0.1:%s")
8c15553e RG	136
	137	-- generate an OCSP response file for our certificate, valid one day
	138	generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
	139	addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls", ocspResponses={"%s"}})
	140	"""
1d896c34	141	_config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
8c15553e RG	142
	143	def testOCSPStapling(self):
	144	"""
	145	OCSP Stapling: TLS (GnuTLS)
	146	"""
	147	output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
	148	self.assertIn('OCSP Response Status: successful (0x0)', output)
630eb526	149	self.assertEqual(self.getTLSProvider(), "gnutls")
8c15553e	150
1d896c34 RG	151	serialNumber = self.getOCSPSerial(output)
	152	self.assertTrue(serialNumber)
	153
	154	self.generateNewCertificateAndKey()
	155	self.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self._serverCert, self._caCert, self._caKey, self._ocspFile))
	156	self.sendConsoleCommand("reloadAllCertificates()")
	157
	158	output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
	159	self.assertIn('OCSP Response Status: successful (0x0)', output)
	160	serialNumber2 = self.getOCSPSerial(output)
	161	self.assertTrue(serialNumber2)
4bfebc93	162	self.assertNotEqual(serialNumber, serialNumber2)
1d896c34	163
d1ce3058 RG	164	class TestBrokenOCSPStaplingTLSGnuTLS(DNSDistOCSPStaplingTest):
	165
	166	_consoleKey = DNSDistTest.generateConsoleKey()
	167	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
	168	_serverKey = 'server.key'
	169	_serverCert = 'server.chain'
	170	_serverName = 'tls.tests.dnsdist.org'
	171	_caCert = 'ca.pem'
	172	# invalid OCSP file!
	173	_ocspFile = '/dev/null'
630eb526	174	_tlsServerPort = pickAvailablePort()
d1ce3058 RG	175	_config_template = """
	176	newServer{address="127.0.0.1:%s"}
	177	setKey("%s")
	178	controlSocket("127.0.0.1:%s")
	179
	180	addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls", ocspResponses={"%s"}})
	181	"""
	182	_config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
	183
	184	def testBrokenOCSPStapling(self):
	185	"""
	186	OCSP Stapling: Broken (GnuTLS)
	187	"""
	188	output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
	189	self.assertNotIn('OCSP Response Status: successful (0x0)', output)
630eb526	190	self.assertEqual(self.getTLSProvider(), "gnutls")
d1ce3058	191
8c15553e RG	192	class TestOCSPStaplingTLSOpenSSL(DNSDistOCSPStaplingTest):
8c15553e RG	193
1d896c34 RG	194	_consoleKey = DNSDistTest.generateConsoleKey()
1d896c34 RG	195	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
8c15553e RG	196	_serverKey = 'server.key'
	197	_serverCert = 'server.chain'
	198	_serverName = 'tls.tests.dnsdist.org'
	199	_ocspFile = 'server.ocsp'
	200	_caCert = 'ca.pem'
	201	_caKey = 'ca.key'
630eb526	202	_tlsServerPort = pickAvailablePort()
8c15553e RG	203	_config_template = """
8c15553e RG	204	newServer{address="127.0.0.1:%s"}
1d896c34 RG	205	setKey("%s")
1d896c34 RG	206	controlSocket("127.0.0.1:%s")
8c15553e RG	207
	208	-- generate an OCSP response file for our certificate, valid one day
	209	generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
	210	addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", ocspResponses={"%s"}})
	211	"""
1d896c34	212	_config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
8c15553e RG	213
	214	def testOCSPStapling(self):
	215	"""
	216	OCSP Stapling: TLS (OpenSSL)
	217	"""
	218	output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
	219	self.assertIn('OCSP Response Status: successful (0x0)', output)
630eb526	220	self.assertEqual(self.getTLSProvider(), "openssl")
1d896c34 RG	221
	222	serialNumber = self.getOCSPSerial(output)
	223	self.assertTrue(serialNumber)
	224
	225	self.generateNewCertificateAndKey()
	226	self.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self._serverCert, self._caCert, self._caKey, self._ocspFile))
	227	self.sendConsoleCommand("reloadAllCertificates()")
	228
	229	output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
	230	self.assertIn('OCSP Response Status: successful (0x0)', output)
	231	serialNumber2 = self.getOCSPSerial(output)
	232	self.assertTrue(serialNumber2)
4bfebc93	233	self.assertNotEqual(serialNumber, serialNumber2)
d1ce3058 RG	234
	235	class TestBrokenOCSPStaplingTLSOpenSSL(DNSDistOCSPStaplingTest):
	236
	237	_consoleKey = DNSDistTest.generateConsoleKey()
	238	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
	239	_serverKey = 'server.key'
	240	_serverCert = 'server.chain'
	241	_serverName = 'tls.tests.dnsdist.org'
	242	_caCert = 'ca.pem'
	243	# invalid OCSP file!
	244	_ocspFile = '/dev/null'
630eb526	245	_tlsServerPort = pickAvailablePort()
d1ce3058 RG	246	_config_template = """
	247	newServer{address="127.0.0.1:%s"}
	248	setKey("%s")
	249	controlSocket("127.0.0.1:%s")
	250
	251	addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", ocspResponses={"%s"}})
	252	"""
	253	_config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
	254
	255	def testBrokenOCSPStapling(self):
	256	"""
	257	OCSP Stapling: Broken (OpenSSL)
	258	"""
	259	output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
	260	self.assertNotIn('OCSP Response Status: successful (0x0)', output)
630eb526	261	self.assertEqual(self.getTLSProvider(), "openssl")