From MozillaWiki
Jump to: navigation, search

NSS Test Suite and OCSP

HOWTO setup an OCSP server for the NSS test suite

As part of the "chains" part of the NSS test suite, connections to a special OCSP server will be attempted, which is expected to use certificates and CRLs produced by NSS.

It must be possible to "ping" the server. If the test suite is unable to contact the server, it will report the following message in output.log: "OCSP server not accessible, skipping OCSP tests"

A publicly accessible server should be used to host the OCSP server, as certificates will be created and added to NSS source repository that will refer to the server, thus everyone running the NSS test will make use of the server.

The server should be the OpenCA OCSP server (ocspd), as NSS can produce the right configuration files for this server. Version 1.9.0 is known to work with the plain text conf files created by NSS. (Later versions, such as 2.1.0, appear to require a different configuration file format (xml), and are not tested.)

For the remainder of this document, we assume that ocspd will run on host "ocsp.kuix.de", and that ocspd will not run as user root, but instead as a separate user nssoscpd with home directory /home/nssocspd

On the server as user nssocspd:

Get openca-ocspd-1.9.0.tar.gz from http://sourceforge.net/projects/openca/files/openca-ocspd/releases/v1.9.0/sources/ tar xzf cd openca-ocspd* ./configure --prefix=/home/nssocspd/ make make install

On any machine with development/commit access to the NSS respository (e.g. cvs), perform the following steps, which are also outlined in file mozilla/security/nss/tests/chains/ocspd-config/readme

  • Change mozilla/security/nss/tests/chains/scenarios/scenarios to contain only one line containing: ocspd.cfg
  • Set environment variable to run only chains tests: export NSS_TESTS=chains
  • Set environment variable to have the correct URI in the certificates: export NSS_AIA_OCSP=http://ocsp.kuix.de
  • Run tests: ./all.sh
  • Go to results directory: cd mozilla/tests_results/security/${HOST}.${ID}/chains
  • Copy ocspd-certs.sh and ocspd.conf.template to this directory. Edit ocspd.conf.template and change user/group to nssocspd.
  • Run: ./ocspd-certs.sh OCSPD ${OCSPD_ETC_DIR} ${LIBPKIX_CERTS_DIR}:
   Example: ./ocspd-certs.sh OCSPD /home/nssocspd/etc/ocspd/ ~/nss/securitytip/mozilla/security/nss/tests/libpkix/certs
  • Commit the new certificates that have been generated under ~/nss/securitytip/mozilla/security/nss/tests/libpkix/certs
  • Copy config files and keys/certs/crls to the server.
   scp *.conf nssocspd@server:etc/ocspd/
   scp OCSPD/*.pem OCSPD/*.key nssocspd@server:etc/ocspd/OCSPD/
  • Start ocsp deamons on the server (for all configs):
   sbin/ocspd -c etc/ocspd/ocspd0.conf -k nssnss -d
   sbin/ocspd -c etc/ocspd/ocspd1.conf -k nssnss -d
   sbin/ocspd -c etc/ocspd/ocspd2.conf -k nssnss -d
   sbin/ocspd -c etc/ocspd/ocspd3.conf -k nssnss -d
  • Verify that you have 4 running ocspd processes
  • Undo the change to mozilla/security/nss/tests/chains/scenarios/scenarios
  • Either keep NSS_TESTS variable, to only run that test, or Unset the environment variable to run all tests: export -n NSS_TESTS
  • Run the NSS test suite (see step 4) and verify that you no longer find "skipping OCSP tests" in the output.

NOTE: These instructions assume that the patch from bug 741870 has been applied, which fixes the script and the template for the configuration files.