[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: svn commit: r1843478 - /httpd/test/framework/trunk/t/ssl/ocsp.t

Am 14.10.2018 um 21:59 schrieb William A Rowe Jr:
On Sun, Oct 14, 2018 at 8:32 AM Jim Jagielski <jim@xxxxxxxxxxx <mailto:jim@xxxxxxxxxxx>> wrote:

    All we are checking is the error code. Nothing else.

        % openssl version
        OpenSSL 1.0.2p  14 Aug 2018
        % openssl ocsp 2>/dev/null
        % print $?
        % openssl foo 2>/dev/null
        % print $?

    With 1.1.1, both return 1, but so what, we know that it has oscp.

I can confirm this behavior for normal OpenSSL 1.0.2p.

$ openssl ocsp >/dev/null
ocsp: Use -help for summary.[wrowe@hub test-httpd]$ echo $?
$ echo $?
$ openssl xyz >/dev/null
Invalid command 'xyz'; type "help" for a list.
$ echo $?
$ openssl version
OpenSSL 1.1.0i-fips  14 Aug 2018

I can also confirm this behavior for normal OpenSSL 1.1.0i.

And Jim already set "With 1.1.1, both return 1, but so what, we know that it has oscp."

This doesn't tell us whether ocsp is compiled in.
I have no idea which bastardization of the openssl command line tool you are using which returns success for bad verbs.

Please refrain from such wil guessing (bastardization).

So checking the status code seems OK for 1.0.2 and newerversions as well (for different reasons), but it doesn't look understandable either (because it only works for 1.1.0+ due to a change in behavior). If Bill's suggestion "`$openssl ocsp -help` !~ /Usage:/" it would be easier to understand.

    Complaining about /dev/null : orig code had this. Why was that OK?

But I think you (Jim) introduced /dev/null in an attempt to fix another problem in r1832567.

Never suggested it was OK.

I guess that's not what Jim meant, instead he might have asked why there was no complaint when it was originally introduced. But i think that doesn't lead us anywhere.

 Asking about finding potential *solutions* instead of throwing more darts at the wall. Why the emotive tone to a technical discussion?

Probably because it was unclear at that point whether there was a problem.