]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Test case for gnutls-cli --ocsp
authorThomas Klute <thomas2.klute@uni-dortmund.de>
Fri, 29 Apr 2016 00:50:31 +0000 (02:50 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Tue, 17 May 2016 09:17:03 +0000 (11:17 +0200)
This new test case checks if gnutls-cli accepts OCSP responses for a
valid and a revoked server certificate when establishing TLS
connections. Uses the OpenSSL OCSP responder.

Signed-off-by: Thomas Klute <thomas2.klute@uni-dortmund.de>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
13 files changed:
tests/ocsp-tests/Makefile.am
tests/ocsp-tests/certs/ca.key [moved from tests/ocsp-tests/ca.key with 100% similarity]
tests/ocsp-tests/certs/ca.pem [moved from tests/ocsp-tests/ca.pem with 100% similarity]
tests/ocsp-tests/certs/ocsp-server.key [moved from tests/ocsp-tests/ocsp-server.key with 100% similarity]
tests/ocsp-tests/certs/ocsp-server.pem [moved from tests/ocsp-tests/ocsp-server.pem with 100% similarity]
tests/ocsp-tests/certs/ocsp_index.txt [new file with mode: 0644]
tests/ocsp-tests/certs/ocsp_index.txt.attr [new file with mode: 0644]
tests/ocsp-tests/certs/server_bad.key [new file with mode: 0644]
tests/ocsp-tests/certs/server_bad.template [new file with mode: 0644]
tests/ocsp-tests/certs/server_good.key [new file with mode: 0644]
tests/ocsp-tests/certs/server_good.template [new file with mode: 0644]
tests/ocsp-tests/ocsp-test
tests/ocsp-tests/ocsp-tls-connection [new file with mode: 0755]

index a695f26d76824be582c300ea0adf940355dbc106..b5f0fe4a1f2bb0a5d8438d529134240f4c14a8d9 100644 (file)
 # along with this file; if not, write to the Free Software Foundation,
 # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 
-EXTRA_DIST = ca.key ca.pem ocsp-server.key ocsp-server.pem response1.der \
-       response2.der
+EXTRA_DIST = certs/ca.key certs/ca.pem certs/ocsp-server.key certs/ocsp-server.pem response1.der \
+       response2.der certs/ocsp_index.txt certs/ocsp_index.txt.attr \
+       certs/server_good.key certs/server_bad.key certs/server_good.template \
+       certs/server_bad.template
 
-dist_check_SCRIPTS = ocsp-test
+dist_check_SCRIPTS = ocsp-test ocsp-tls-connection
 
 TESTS = $(dist_check_SCRIPTS)
 
diff --git a/tests/ocsp-tests/certs/ocsp_index.txt b/tests/ocsp-tests/certs/ocsp_index.txt
new file mode 100644 (file)
index 0000000..e9e2dd7
--- /dev/null
@@ -0,0 +1,2 @@
+R      260329162441Z   160428142441Z   3       unknown CN=localhost
+V      260329162441Z           2       unknown CN=localhost
diff --git a/tests/ocsp-tests/certs/ocsp_index.txt.attr b/tests/ocsp-tests/certs/ocsp_index.txt.attr
new file mode 100644 (file)
index 0000000..3a7e39e
--- /dev/null
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/tests/ocsp-tests/certs/server_bad.key b/tests/ocsp-tests/certs/server_bad.key
new file mode 100644 (file)
index 0000000..814693e
--- /dev/null
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEArwu2ueiYin7b177OgSjWY0Et7ypE1gXTuXdgTyu+LH2pYmsb
+HxbAFIDf2OeOs/8z+FK0VqxvcRw2zb3lnsLYD3fgHNj8bZdZssiXy8+um/Mtnec2
+J8tkapdjUVkd7vTsUqardOTRcTwM0SWOgQXirZMSdkU1eoqkzAczxsPJTPVKnqVD
+KhBEcPz/7OR+/ocYmQdAaOdl9m6gJn4lBBr2vCozjx0LyWig7zf5j6CgkZECb7jg
+rANhDE3gD9iHC8CyaVPLuuDkllwIetBTfWGDi0tdHv1mY3K6YuuDsjdUnmOeFrPL
+3i3zvnQEMLAD1f0GeRzUMNTHUOe5bKIAxKW9hlhJat10/VZyuP1Sjm1gdpoJkU4z
+g5HPyr/C7mHHC2ofJZZ68Q4bQ2KXAq45MwPPkq0jEFzPdrDR925CRv+3HO6rw+2+
+atIylvZzzdwXfBuB5bOKpcU68tbjGSq58N3V/72DGSxDdNephGTMAmtmum22T+38
+KSPKiuIWT/bsSefbAgMBAAECggGAHQs6hFo9hS1LWN7F8NRPziQwdPB0f3Z0DN/r
+0PcXFNa81iGjXGMv97bybVDucpszik5escrmqsPdrAGIKfF2XAqt2tt99skYDvwN
+g7mv5RxSQ1Lrv2qV/MGlrwe0WcO1unkBFeIphjpKfiFXJb1OQTKX65vMJcr/UQMY
+6i/uJKDGgtA09rPAR2cTJ8E5+Q19XVbArydF2b+9PuXLSoUWz13JNEPDguWjXk3R
+UK18Nurylor8bE4bOilptfddYOvV5/UNxgy8y0XJq6ZJ/g3FqRsiu5e5C8jXm2t/
+qfJ33rJIAZv8LW0YWPteNw0OSo4DCbtfZQdekiJwz5tS0shhOqKhcFIX2hRwUMhj
+yYBMxota6n5bQcKQBv+jf3URKFMDCThUst3GUZz6GIVb9xqTxavgU/KMXkZPUJ8N
+KA5qYBrTK5lMVTf6iZ/N93yZKVky9rrrJdWmX/wWhPt1hr2Mj1UF/W6oi142SLjy
+z7M8A/LaI2/gsm8sSp64JjDdtabBAoHBAObVHQSgV4SoseW5j0BjAklFHN9MRjOc
+17GgZ4hfIda4bs+RpnDXjREU3kdAFmyg0F3/TLzQZklCAui2NKMvz+XHtbwF9aNP
++fK1eLOKiSRzAlKrAwiNPTKFkIFYNVFthH5pWBzS0be+Va52OoxwnSMmSaBEPzDH
+NF7GKZHI+mEDWE+Vz7MiGpLkDuPj3UzG3KQwhxmy+ZVF2LVENFf+FGjiWSQMpxyx
+q7M5nzq6pVPSbxqLFF+X9J7MScbCajL6sQKBwQDCIYIMsBM2pf2zFTifsH39BsXP
+qpztEmdfDqy6D+dquEH5HTUSt2as6FMyk7oxRmuxxunl5bBtL3X2AR3eDdLP42W0
+sPphUQt2RFpyNu2Sd5pjYXcCxH7IQv16EQqPdxYytBU9jJMnRf+QN7Nl9j4nZrDC
+wZcs2PUO1LDoK20+IKSeYRGMUMC65N9x+/qTGEaF4bRJJSGjkhyWPBAdrMekeTJH
+4h5YRZfzXspzpJ1CSKRt+1zhO6IWM8YcalQTVksCgcA75eUnxCuxosy23dXMUWTQ
+enypfPNihTp7PzJecsEnJKiseBEGiwhx/EZJmtm2ymwHWC4jeLhyHgz/Mfiqt8ds
+ysvfxHQfMqubTXfKrxIzQRzDMtkQqQXOTFZZGfiL7q1I2DEjGZmN4nf9U3SR6M79
+xfuo+Myk7awrQ6SZzdsavXF3BVrmEt1ubHtoq0JLn/a1LFqCUqztDTjUoKQsiSPm
+q4WSEy5yBbCWS0eER9aKz7pA2wIoZBf39O7YAq7oF6ECgcBl5Gx7+Fa9UjZsrnC/
+8ETQb6OXsfcXv5ceH3etWPef3gJSnG/k2Po9OtugKkWJ42pXLw5JKluFk2mYq1Ff
+4WWK09HoGxPvzDf15T6LwCTFwZz5GIj8nOHmfrLIRPWEA39VMYwMeCIsdOMEcRfq
+JmrNB2szbaTJVz6YgC4yTcjS2RNORaiOOzxNXB+jlhwY5J7vWl3kHmcfkWsLt47F
+5JAM1cf8TsSalDyC8nfUZsxbpAEZ8Nr5JPGYMaiD9ZMXay0CgcEAjDWHG31/+Vmd
+L17lUfNCNcyDChlf4cVXA748/HCHM49JuS7NSSxToAzWCaoy5DkUesg0xSHLM0Ko
+HOAiCuQmzFDjOIi4/NSDEYwe02SnFF1trGFLIzta+Ona8VQlDKp6onQ9lxefL8In
+9+6PujFy6/HEKk57Nypd3k1J0LHj0u5QeRHVnSiMq0XioXR/61yxeNURHPzI+wVd
+726pM6NA3e6RFencK5SOgBoUi28RNAE1a3+BiXJGQRD2WxG9DaOG
+-----END RSA PRIVATE KEY-----
diff --git a/tests/ocsp-tests/certs/server_bad.template b/tests/ocsp-tests/certs/server_bad.template
new file mode 100644 (file)
index 0000000..0408a97
--- /dev/null
@@ -0,0 +1,9 @@
+# static serial so the OCSP DB does not need to be changed
+serial=3
+cn=localhost
+tls_www_server
+signing_key
+encryption_key
+dns_name="localhost"
+activation_date = "2016-03-29 16:21:42"
+expiration_date = "2026-03-29 16:24:41"
diff --git a/tests/ocsp-tests/certs/server_good.key b/tests/ocsp-tests/certs/server_good.key
new file mode 100644 (file)
index 0000000..f5e71dd
--- /dev/null
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5QIBAAKCAYEApKIYxjNSYijlzMBWXLM7BEtKXUFtYpvta/fKgC16wuVW1rCT
+sS6xB10QFjeVtYAnDY3qBSC17xVL7gmhYTJHBW6dBEzq0NBLimWDvy9FnHerwSn1
+q1EUBqFjlTKwEgKsRzI5AOnUf0jHV9FoSNJdyTO9vunEAPMylcqQRIDCnkpSQwh/
+8KAU2iIhaasoOw8uj5RH5w8NAepEY8AV+W2OPJB1vGip+TU+q8MoXjT9lYRK0E7J
+c6iJAGb24ZjvHp3mpJcDhASifrp6E1OxeFfdADulAQ9xj8VLOzi8EmMjOrZritYl
+Iq9ITlyw1ws+bFwG9szLXB6eV38e5Ubbu/VMqGx/XQ90SDgP7MAsorkRoe48i2IQ
++fea9QUGSgOfxAKu/SjehplpsGaARyb1Y5wXxzRnyVrX8dNwP5OojK5mQUaUW76k
+biCbwOM37QDPUgwEgpLkItiNCwcXMdjwxsuXSusAn41u9cDF0+uXr9tUkDLaLcNz
+9OZyNlZJO1ba3ksvAgMBAAECggGBAJRRPISDA/tO4Qh/Vs6Y4dhShCJTqVonI9Qb
+HqIvVuNyfbNYzRXY/L+nhbCeTw9+7q/1ZBlOiNlllExU/MB17SnlpyuSqBGLNiLu
+pax9x/bYkTGqvZqjpqj6iJ6HVbxEEDTr+BLslfY9+OkSzSKd8sQrCwyNyXkZoD72
+iNZOMgcs6cNeSvTbIy4JhZSPD+V1HftYGRb+pjdNeGNtT96wZm4FrywYFtlesKFJ
+ZnrIvpQO5N+Zuz+pXBOyr0Q65WHt2cOxniTrMTlgWiGJvGlRF6s0UMnVJDFd36dD
+OHyCHHkRYxVh5M4wnBnoVjRRPfO7Dr37MdZQuvMgcG3uZ600g2+8UEE6NS1WgsRk
+oANsbyzoZkwNJplmPgJZ9b+Iupkp+ivTebzkxZbMWDaM+jGRZy0EwlNHKxRZubcF
+bsxnfsR8zlzsTTRRFQxsvqjadg0d0SVH2+3+0ksfCIs7qbqDfLNSLKzkW3pQySII
+EOEnNSb4Iwgb/hc7LluBdI5dd9WfEQKBwQDWyuyeepmMR9OqTKXPVB5Xe1yLq3vQ
+HCN5n1Fp6weIpiWAZDHTGWfcQkUOVYm0dILoz0JXYQMV5n09NAN7QxU8SAaK5Skb
+d2QBawny7At4MrpnSowA0cdyuTughLb7Lg2Yb77u1b09w71vXZHaAqIxmZCUMdjW
+7o/PWHbVApmB3XlDpJ3Y2WMIbTKkAWJOgh7IfZXSeJR672yuDJOEfHX3BNcdJQZC
+OmuNB36I3ZJmhxTlPOX9kO0nguLNDpol2GMCgcEAxDeyy7nk2kOZWdxzLfSS0m2E
+/K3uJCzbqj4LBJ8pZFJRO5V8k4pIArz28jTrgt85OtvG14PJQIYIS1V2kRDFXHt3
+qTKZdzoylpplNTSvIIiVFj7TaneT6E+oqYUKKaYOn8wDMOxgflElf352F7/NgYEA
+ZgTrmHm4FdcUQpVRQu3H1Cn4+6oyC5/ZQpxG/WZMbBN6xl5kNMFf4CSw5c98G/ZT
+jeb0cb1MrQ6PYNTr8VVbMQd+nJzoYbPyf5UVg03FAoHAN6rF4ljR3Lps0BEnU/Fw
+H6oYFRavcwMn6ohw2CuSe0bcJ0dQZm6KLVp7fTiMBNnBZ8b3YaAB5bYjtS36zQJY
+yZO9Jlg37CdoIrn0DSJB4rf6+XQnjrrPnxsEqhhbOAP6gAxOBqYccpp9SRSODVtr
+X8F16AJ3OVUArnM18QTIdhDJMc/DHQVSFkf+vOSi7sfoZHuvzal0idvtZbparRZ4
+mDmH6sTCt31ejGFp2Nzb6XiO4M6EqM/btsbEMvLa3n4TAoHBAKpImB8bTZNptOz6
+Vu7b4ItDxnSu0QuN7niY7WDua7KHib3G5lz4VbQin8Dk0jo6VOVSlAa2dPJNH2eZ
+XJNaVZ0D/X3Vzr9cv0hZ51k8RntabN/oV/t+mNq0PvAW6BHq7agaGe7cRIV7EKrL
+adsEdmlcNadTv84MXAiAJjH+eY424wOqBU0Kj/HsoFShYS5KGCp24UbD5fyukPDp
+hqd54AA4TpzIgP0wRhmtmBp1zekbpU8wbN2ngjhAPUQhcpEH7QKBwQDFqimO5IDb
+8DuWT6E5R/4TYttP2BjtaFgcV26UhKsKlcyy31OP7nHOM9jICodEKCVzfw477Dtf
+g8Xp8QUnQ4MM8sTmokMtsKX6yKCGLxeadPV0jw0ASsDH7op0CBH30pcWNVPeEGlC
+b3qfqHMNGDQJyAkGun5mAjAzjWT89eDrwJDfeuxnos5+XlAPz/xIqZaj9TSV0Xjs
+1U/np8oqu50iEXhyLVqG6GqXRkiqJ4W73qRqCYCBu1O3Fuc00/TOPLM=
+-----END RSA PRIVATE KEY-----
diff --git a/tests/ocsp-tests/certs/server_good.template b/tests/ocsp-tests/certs/server_good.template
new file mode 100644 (file)
index 0000000..2d02758
--- /dev/null
@@ -0,0 +1,9 @@
+# static serial so the OCSP DB does not need to be changed
+serial=2
+cn=localhost
+tls_www_server
+signing_key
+encryption_key
+dns_name="localhost"
+activation_date = "2016-03-29 16:21:42"
+expiration_date = "2026-03-29 16:24:41"
index 7e5b2c980d13384649bd6feb3a404c9d19ef0dba..5fe2659162cf0b156f932a9c23b51e5f0df98e91 100755 (executable)
@@ -39,7 +39,7 @@ fi
 # (if example the system was busy)
 
 datefudge -s "2016-04-22" \
-       "${OCSPTOOL}" -e --load-signer "${srcdir}/ca.pem" --infile "${srcdir}/response1.der"
+       "${OCSPTOOL}" -e --load-signer "${srcdir}/certs/ca.pem" --infile "${srcdir}/response1.der"
 rc=$?
 
 # We're done.
@@ -49,7 +49,7 @@ if test "${rc}" != "0"; then
 fi
 
 datefudge -s "2016-04-22" \
-       "${OCSPTOOL}" -e --load-signer "${srcdir}/ocsp-server.pem" --infile "${srcdir}/response2.der"
+       "${OCSPTOOL}" -e --load-signer "${srcdir}/certs/ocsp-server.pem" --infile "${srcdir}/response2.der"
 rc=$?
 
 # We're done.
@@ -59,7 +59,7 @@ if test "${rc}" != "0"; then
 fi
 
 datefudge -s "2016-04-22" \
-       "${OCSPTOOL}" -e --load-signer "${srcdir}/ca.pem" --infile "${srcdir}/response2.der" -d 4
+       "${OCSPTOOL}" -e --load-signer "${srcdir}/certs/ca.pem" --infile "${srcdir}/response2.der" -d 4
 rc=$?
 
 # We're done.
diff --git a/tests/ocsp-tests/ocsp-tls-connection b/tests/ocsp-tests/ocsp-tls-connection
new file mode 100755 (executable)
index 0000000..6d2b8ac
--- /dev/null
@@ -0,0 +1,223 @@
+#!/bin/sh
+
+# Test case: Try to establish TLS connections with gnutls-cli and
+# check the validity of the server certificate via OCSP
+#
+# Copyright (C) 2016 Thomas Klute
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+OCSPTOOL="${OCSPTOOL:-../../src/ocsptool${EXEEXT}}"
+GNUTLS_SERV="${GNUTLS_SERV:-../../src/gnutls-serv${EXEEXT}}"
+GNUTLS_CLI="${GNUTLS_CLI:-../../src/gnutls-cli${EXEEXT}}"
+DIFF="${DIFF:-diff}"
+TEMPLATE_FILE="out.$$.tmpl.tmp"
+SERVER_CERT_FILE="cert.$$.pem.tmp"
+
+export TZ="UTC"
+
+. "${srcdir}/../scripts/common.sh"
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+
+# Port to use for OCSP server, must match the OCSP URI set in the
+# server_*.pem certificates
+eval "${GETPORT}"
+OCSP_PORT=$PORT
+
+# Maximum timeout for server startup (OCSP and TLS)
+SERVER_START_TIMEOUT=10
+
+# Check for OpenSSL
+OPENSSL=`which openssl`
+if ! test -x "${OPENSSL}"; then
+    echo "You need openssl to run this test."
+    exit 77
+fi
+
+# Check for netcat
+NETCAT=`which nc`
+if ! test -x "${NETCAT}"; then
+    echo "You need nc to run this test."
+    exit 77
+fi
+
+# Check for datefudge
+TSTAMP=`datefudge "2006-09-23" date -u +%s || true`
+if test "$TSTAMP" != "1158969600"; then
+    echo $TSTAMP
+    echo "You need datefudge to run this test."
+    exit 77
+fi
+
+CERTDATE="2016-04-28"
+TESTDATE="2016-04-29"
+
+OCSP_PID=""
+TLS_SERVER_PID=""
+stop_servers ()
+{
+    test -z "${OCSP_PID}" || kill "${OCSP_PID}"
+    test -z "${TLS_SERVER_PID}" || kill "${TLS_SERVER_PID}"
+    rm -f "$TEMPLATE_FILE"
+    rm -f "$SERVER_CERT_FILE"
+}
+trap stop_servers 1 15 2 EXIT
+
+echo "=== Generating good server certificate ==="
+
+rm -f "$TEMPLATE_FILE"
+cp "${srcdir}/certs/server_good.template" "$TEMPLATE_FILE"
+echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"
+
+# Generate certificates with the random port
+datefudge -s "${CERTDATE}" ${CERTTOOL} \
+       --generate-certificate --load-ca-privkey "${srcdir}/certs/ca.key" \
+       --load-ca-certificate "${srcdir}/certs/ca.pem" \
+       --load-privkey "${srcdir}/certs/server_good.key" \
+       --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}" 2>/dev/null
+
+echo "=== Bringing OCSP server up ==="
+
+# Start OpenSSL OCSP server
+#
+# WARNING: As of version 1.0.2g, OpenSSL OCSP cannot bind the TCP port
+# if started repeatedly in a short time, probably a lack of
+# SO_REUSEADDR usage.
+PORT=${OCSP_PORT}
+launch_bare_server $$ \
+         datefudge "${TESTDATE}" \
+         "${OPENSSL}" ocsp -index "${srcdir}/certs/ocsp_index.txt" -text \
+         -port "${OCSP_PORT}" \
+         -rsigner "${srcdir}/certs/ocsp-server.pem" \
+         -rkey "${srcdir}/certs/ocsp-server.key" \
+         -CA "${srcdir}/certs/ca.pem"
+OCSP_PID="${!}"
+wait_server "${OCSP_PID}"
+
+echo "=== Verifying OCSP server is up ==="
+
+# Port probing (as done in wait_port) makes the OpenSSL OCSP server
+# crash due to the "invalid request", so try proper requests
+t=0
+while test "${t}" -lt "${SERVER_START_TIMEOUT}"; do
+    # Run a test request to make sure the server works
+    datefudge "${TESTDATE}" \
+             "${OCSPTOOL}" --ask \
+             --load-cert "${SERVER_CERT_FILE}" \
+             --load-issuer "${srcdir}/certs/ca.pem"
+    rc=$?
+    if test "${rc}" = "0"; then
+       break
+    else
+       t=`expr ${t} + 1`
+       sleep 1
+    fi
+done
+# Fail if the final OCSP request failed
+if test "${rc}" != "0"; then
+    echo "OCSP server check failed."
+    exit ${rc}
+fi
+
+echo "=== Test 1: Server with valid certificate ==="
+
+PORT=${TLS_SERVER_PORT}
+launch_bare_server $$ \
+         datefudge "${TESTDATE}" \
+         "${GNUTLS_SERV}" --echo --disable-client-cert \
+         --x509keyfile="${srcdir}/certs/server_good.key" \
+         --x509certfile="${SERVER_CERT_FILE}" \
+         --port="${TLS_SERVER_PORT}"
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+    datefudge -s "${TESTDATE}" \
+             "${GNUTLS_CLI}" --ocsp --x509cafile="${srcdir}/certs/ca.pem" \
+             --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "0"; then
+    echo "Connecting to server with valid certificate failed."
+    exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+echo "=== Generating bad server certificate ==="
+
+rm -f "${SERVER_CERT_FILE}"
+rm -f "${TEMPLATE_FILE}"
+cp "${srcdir}/certs/server_bad.template" "$TEMPLATE_FILE"
+echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"
+
+# Generate certificates with the random port
+datefudge -s "${CERTDATE}" ${CERTTOOL} \
+       --generate-certificate --load-ca-privkey "${srcdir}/certs/ca.key" \
+       --load-ca-certificate "${srcdir}/certs/ca.pem" \
+       --load-privkey "${srcdir}/certs/server_bad.key" \
+       --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}"
+
+echo "=== Test 2: Server with revoked certificate ==="
+
+eval "${GETPORT}"
+TLS_SERVER_PORT=$PORT
+
+launch_bare_server $$ \
+         datefudge "${TESTDATE}" \
+         "${GNUTLS_SERV}" --echo --disable-client-cert \
+         --x509keyfile="${srcdir}/certs/server_bad.key" \
+         --x509certfile="${SERVER_CERT_FILE}" \
+         --port="${TLS_SERVER_PORT}"
+TLS_SERVER_PID="${!}"
+wait_server ${TLS_SERVER_PID}
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+    datefudge -s "${TESTDATE}" \
+             "${GNUTLS_CLI}" --ocsp --x509cafile="${srcdir}/certs/ca.pem" \
+             --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+# This connection should not work because the certificate has been
+# revoked.
+if test "${rc}" = "0"; then
+    echo "Connecting to server with revoked certificate succeeded."
+    exit 1
+fi
+
+kill ${OCSP_PID}
+wait ${OCSP_PID}
+unset OCSP_PID
+
+rm -f "${SERVER_CERT_FILE}"
+rm -f "${TEMPLATE_FILE}"
+
+exit 0