From 52ffb14a8948bfe40f8d637cc9c0430877608273 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Thu, 4 Jan 2024 11:20:34 +0800
Subject: [PATCH 01/28] demo

---
 apisix/ssl/router/radixtree_sni.lua | 59 +++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/apisix/ssl/router/radixtree_sni.lua b/apisix/ssl/router/radixtree_sni.lua
index b6824852e0b3..b1efaafc1a55 100644
--- a/apisix/ssl/router/radixtree_sni.lua
+++ b/apisix/ssl/router/radixtree_sni.lua
@@ -221,6 +221,33 @@ function _M.match_and_set(api_ctx, match_only, alt_sni)
 end
 
 
+local function get_ocsp_resp(ocsp_url, ocsp_req)
+    local http = require("resty.http")
+    local httpc = http.new()
+    local res, err = httpc:request_uri(ocsp_url, {
+        method = "POST",
+        headers = {
+            ["Content-Type"] = "application/ocsp-request",
+        },
+        body = ocsp_req,
+    })
+
+    if not res then
+        core.log.error("OCSP responder query failed:", err, ", url:", ocsp_url)
+        return
+    end
+
+    local http_status = res.status
+    if http_status ~= 200 then
+        core.log.error("OCSP responder returns bad HTTP status code:",
+                       http_status, ", url:", ocsp_url)
+        return
+    end
+
+    return res.body
+end
+
+
 function _M.set(matched_ssl, sni)
     if not matched_ssl then
         return false, "failed to match ssl certificate"
@@ -244,6 +271,38 @@ function _M.set(matched_ssl, sni)
         return false, err
     end
 
+    local is_ocsp_enabled = true
+    if is_ocsp_enabled then
+        local ocsp = require "ngx.ocsp"
+        local der_cert_chain, err = ngx_ssl.cert_pem_to_der(new_ssl_value.value.cert)
+        if not der_cert_chain then
+            core.log.error("failed to convert certificate chain ",
+                           "from PEM to DER: ", err)
+        end
+        local ocsp_url, err = ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
+        if not ocsp_url then
+            core.log.error("failed to get OCSP url:", err)
+        end
+
+        local ocsp_req, err = ocsp.create_ocsp_request(der_cert_chain)
+        if not ocsp_req then
+            core.log.error("failed to create OCSP request:", err)
+        end
+
+        local ocsp_resp = get_ocsp_resp(ocsp_url, ocsp_req)
+        if ocsp_resp and #ocsp_resp > 0 then
+            local ok, err = ocsp.validate_ocsp_response(ocsp_resp, der_cert_chain)
+            if not ok then
+                core.log.error("failed to validate OCSP response: ", err)
+            end
+            -- set the OCSP stapling
+            ok, err = ocsp.set_ocsp_status_resp(ocsp_resp)
+            if not ok then
+                core.log.error("failed to set ocsp status resp: ", err)
+            end
+        end
+    end
+
     if matched_ssl.value.client then
         local ca_cert = matched_ssl.value.client.ca
         local depth = matched_ssl.value.client.depth

From 2ac41e6e03e4ca3118f13605a9f410768152ffbb Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Thu, 4 Jan 2024 22:16:54 +0800
Subject: [PATCH 02/28] not in apisix mod but plugin

---
 apisix/plugins/ocsp.lua             | 220 ++++++++++++++++++++++++++++
 apisix/ssl/router/radixtree_sni.lua |  59 --------
 2 files changed, 220 insertions(+), 59 deletions(-)
 create mode 100644 apisix/plugins/ocsp.lua

diff --git a/apisix/plugins/ocsp.lua b/apisix/plugins/ocsp.lua
new file mode 100644
index 000000000000..c3d52175df14
--- /dev/null
+++ b/apisix/plugins/ocsp.lua
@@ -0,0 +1,220 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one
+-- or more contributor license agreements.  See the NOTICE file
+-- distributed with this work for additional information
+-- regarding copyright ownership.  The ASF licenses this file
+-- to you under the Apache License, Version 2.0 (the
+-- "License"); you may not use this file except in compliance
+-- with the License.  You may obtain a copy of the License at
+--
+--   http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing,
+-- software distributed under the License is distributed on an
+-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+-- KIND, either express or implied.  See the License for the
+-- specific language governing permissions and limitations
+-- under the License.
+--
+
+local require = require
+local http = require("resty.http")
+local radixtree_sni = require("apisix.ssl.router.radixtree_sni")
+
+
+local pcall = pcall
+
+local get_request = require("resty.core.base").get_request
+local core = require("apisix.core")
+
+local apisix_ssl = require("apisix.ssl")
+local _, ssl = pcall(require, "resty.apisix.ssl")
+local error = error
+local plugin_name = "gm"
+
+
+local plugin_schema = {
+    type = "object",
+    properties = {},
+}
+
+local _M = {
+    version  = 0.1,            -- plugin version
+    priority = -43,
+    name     = plugin_name,    -- plugin name
+    schema   = plugin_schema,  -- plugin schema
+}
+
+
+function _M.check_schema(conf, schema_type)
+    return core.schema.check(plugin_schema, conf)
+end
+
+
+local function get_ocsp_resp(ocsp_url, ocsp_req)
+    local httpc = http.new()
+    local res, err = httpc:request_uri(ocsp_url, {
+        method = "POST",
+        headers = {
+            ["Content-Type"] = "application/ocsp-request",
+        },
+        body = ocsp_req
+    })
+
+    if not res then
+        core.log.error("OCSP responder query failed:", err, ", url:", ocsp_url)
+        return
+    end
+
+    local http_status = res.status
+    if http_status ~= 200 then
+        core.log.error("OCSP responder returns bad HTTP status code:",
+                       http_status, ", url:", ocsp_url)
+        return
+    end
+
+    return res.body
+end
+
+
+local function set_pem_ssl_key(sni, cert, pkey)
+    local r = get_request()
+    if r == nil then
+        return false, "no request found"
+    end
+
+    local parsed_cert, err = apisix_ssl.fetch_cert(sni, cert)
+    if not parsed_cert then
+        return false, "failed to parse PEM cert: " .. err
+    end
+
+    local ok, err = ngx_ssl.set_cert(parsed_cert)
+    if not ok then
+        return false, "failed to set PEM cert: " .. err
+    end
+
+    local parsed_pkey, err = apisix_ssl.fetch_pkey(sni, pkey)
+    if not parsed_pkey then
+        return false, "failed to parse PEM priv key: " .. err
+    end
+
+    ok, err = ngx_ssl.set_priv_key(parsed_pkey)
+    if not ok then
+        return false, "failed to set PEM priv key: " .. err
+    end
+
+    return true
+
+    local ocsp = require "ngx.ocsp"
+    local der_cert_chain, err = ngx_ssl.cert_pem_to_der(new_ssl_value.cert)
+    if not der_cert_chain then
+        core.log.error("failed to convert certificate chain ",
+                       "from PEM to DER: ", err)
+    end
+    local ocsp_url, err = ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
+    if not ocsp_url then
+        core.log.error("failed to get OCSP url:", err)
+    end
+
+    local ocsp_req, err = ocsp.create_ocsp_request(der_cert_chain)
+    if not ocsp_req then
+        core.log.error("failed to create OCSP request:", err)
+    end
+
+    local ocsp_resp = get_ocsp_resp(ocsp_url, ocsp_req)
+    if ocsp_resp and #ocsp_resp > 0 then
+        local ok, err = ocsp.validate_ocsp_response(ocsp_resp, der_cert_chain)
+        if not ok then
+            core.log.error("failed to validate OCSP response: ", err)
+        end
+        -- set the OCSP stapling
+        ok, err = ocsp.set_ocsp_status_resp(ocsp_resp)
+        if not ok then
+            core.log.error("failed to set ocsp status resp: ", err)
+        end
+    end
+
+
+    return true
+end
+
+
+local original_set_cert_and_key
+local function set_cert_and_key(sni, value)
+    if value.gm then
+        local ok, err = set_pem_ssl_key(sni, value.cert, value.key)
+        if not ok then
+            return false, err
+        end
+    
+        -- multiple certificates support.
+        if value.certs then
+            for i = 1, #value.certs do
+                local cert = value.certs[i]
+                local key = value.keys[i]
+    
+                ok, err = set_pem_ssl_key(sni, cert, key)
+                if not ok then
+                    return false, err
+                end
+            end
+        end
+    
+        return true
+        return set_pem_ssl_key(sni, enc_cert, enc_pkey, sign_cert, sign_pkey)
+    end
+    return original_set_cert_and_key(sni, value)
+end
+
+
+local original_check_ssl_conf
+local function check_ssl_conf(in_dp, conf)
+    if conf.gm then
+        -- process as GM certificate
+        -- For GM dual certificate, the `cert` and `key` will be encryption cert/key.
+        -- The first item in `certs` and `keys` will be sign cert/key.
+        local ok, err = original_check_ssl_conf(in_dp, conf)
+        -- check cert/key first in the original method
+        if not ok then
+            return nil, err
+        end
+
+        -- Currently, APISIX doesn't check the cert type (ECDSA / RSA). So we skip the
+        -- check for now in this plugin.
+        local num_certs = conf.certs and #conf.certs or 0
+        local num_keys = conf.keys and #conf.keys or 0
+        if num_certs ~= 1 or num_keys ~= 1 then
+            return nil, "sign cert/key are required"
+        end
+        return true
+    end
+    return original_check_ssl_conf(in_dp, conf)
+end
+
+
+function _M.init()
+    original_set_cert_and_key = radixtree_sni.set_cert_and_key
+    radixtree_sni.set_cert_and_key = set_cert_and_key
+    original_check_ssl_conf = apisix_ssl.check_ssl_conf
+    apisix_ssl.check_ssl_conf = check_ssl_conf
+
+    if core.schema.ssl.properties.gm ~= nil then
+        error("Field 'gm' is occupied")
+    end
+
+    -- inject a mark to distinguish GM certificate
+    core.schema.ssl.properties.gm = {
+        type = "boolean"
+    }
+end
+
+
+function _M.destroy()
+    radixtree_sni.set_cert_and_key = original_set_cert_and_key
+    apisix_ssl.check_ssl_conf = original_check_ssl_conf
+    core.schema.ssl.properties.gm = nil
+end
+
+
+
+return _M
diff --git a/apisix/ssl/router/radixtree_sni.lua b/apisix/ssl/router/radixtree_sni.lua
index b1efaafc1a55..b6824852e0b3 100644
--- a/apisix/ssl/router/radixtree_sni.lua
+++ b/apisix/ssl/router/radixtree_sni.lua
@@ -221,33 +221,6 @@ function _M.match_and_set(api_ctx, match_only, alt_sni)
 end
 
 
-local function get_ocsp_resp(ocsp_url, ocsp_req)
-    local http = require("resty.http")
-    local httpc = http.new()
-    local res, err = httpc:request_uri(ocsp_url, {
-        method = "POST",
-        headers = {
-            ["Content-Type"] = "application/ocsp-request",
-        },
-        body = ocsp_req,
-    })
-
-    if not res then
-        core.log.error("OCSP responder query failed:", err, ", url:", ocsp_url)
-        return
-    end
-
-    local http_status = res.status
-    if http_status ~= 200 then
-        core.log.error("OCSP responder returns bad HTTP status code:",
-                       http_status, ", url:", ocsp_url)
-        return
-    end
-
-    return res.body
-end
-
-
 function _M.set(matched_ssl, sni)
     if not matched_ssl then
         return false, "failed to match ssl certificate"
@@ -271,38 +244,6 @@ function _M.set(matched_ssl, sni)
         return false, err
     end
 
-    local is_ocsp_enabled = true
-    if is_ocsp_enabled then
-        local ocsp = require "ngx.ocsp"
-        local der_cert_chain, err = ngx_ssl.cert_pem_to_der(new_ssl_value.value.cert)
-        if not der_cert_chain then
-            core.log.error("failed to convert certificate chain ",
-                           "from PEM to DER: ", err)
-        end
-        local ocsp_url, err = ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
-        if not ocsp_url then
-            core.log.error("failed to get OCSP url:", err)
-        end
-
-        local ocsp_req, err = ocsp.create_ocsp_request(der_cert_chain)
-        if not ocsp_req then
-            core.log.error("failed to create OCSP request:", err)
-        end
-
-        local ocsp_resp = get_ocsp_resp(ocsp_url, ocsp_req)
-        if ocsp_resp and #ocsp_resp > 0 then
-            local ok, err = ocsp.validate_ocsp_response(ocsp_resp, der_cert_chain)
-            if not ok then
-                core.log.error("failed to validate OCSP response: ", err)
-            end
-            -- set the OCSP stapling
-            ok, err = ocsp.set_ocsp_status_resp(ocsp_resp)
-            if not ok then
-                core.log.error("failed to set ocsp status resp: ", err)
-            end
-        end
-    end
-
     if matched_ssl.value.client then
         local ca_cert = matched_ssl.value.client.ca
         local depth = matched_ssl.value.client.depth

From 30074374844e2252548f2248c364348ae9234e2a Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Thu, 4 Jan 2024 22:30:06 +0800
Subject: [PATCH 03/28] t

---
 t/plugin/ocsp.t | 88 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 t/plugin/ocsp.t

diff --git a/t/plugin/ocsp.t b/t/plugin/ocsp.t
new file mode 100644
index 000000000000..1cb501dddc64
--- /dev/null
+++ b/t/plugin/ocsp.t
@@ -0,0 +1,88 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+log_level('info');
+no_root_location();
+no_shuffle();
+
+add_block_preprocessor(sub {
+    my ($block) = @_;
+
+    if (!$block->request) {
+        $block->set_value("request", "GET /t");
+    }
+});
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: set ssl
+--- config
+location /t {
+    content_by_lua_block {
+        local core = require("apisix.core")
+        local t = require("lib.test_admin")
+
+        local f = assert(io.open("t/certs/server_sign.crt"))
+        local cert = f:read("*a")
+        f:close()
+
+        local f = assert(io.open("t/certs/server_sign.key"))
+        local pkey_sign = f:read("*a")
+        f:close()
+
+        local data = {
+            cert = cert_enc,
+            key = pkey_enc,
+            sni = "localhost",
+        }
+
+        local code, body = t.test('/apisix/admin/ssls/1',
+            ngx.HTTP_PUT,
+            core.json.encode(data)
+        )
+
+        if code >= 300 then
+            ngx.status = code
+            ngx.say(body)
+            return
+        end
+
+        local code, body = t.test('/apisix/admin/routes/1',
+            ngx.HTTP_PUT,
+            [[{
+                "upstream": {
+                    "nodes": {
+                        "127.0.0.1:1980": 1
+                    },
+                    "type": "roundrobin"
+                },
+                "uri": "/echo"
+            }]]
+        )
+
+        ngx.say(body)
+    }
+}
+--- response_body
+passed
+

From a43d348b9ac816cb84fd1815d40970d8094a9555 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Fri, 5 Jan 2024 22:30:19 +0800
Subject: [PATCH 04/28] plugins demo

---
 apisix/plugins/ocsp.lua | 162 +++++++++++++++++++---------------------
 1 file changed, 78 insertions(+), 84 deletions(-)

diff --git a/apisix/plugins/ocsp.lua b/apisix/plugins/ocsp.lua
index c3d52175df14..f42b92d662ff 100644
--- a/apisix/plugins/ocsp.lua
+++ b/apisix/plugins/ocsp.lua
@@ -18,31 +18,30 @@
 --
 
 local require = require
-local http = require("resty.http")
-local radixtree_sni = require("apisix.ssl.router.radixtree_sni")
-
-
 local pcall = pcall
-
 local get_request = require("resty.core.base").get_request
+local http = require("resty.http")
+local ngx_ocsp = require("ngx.ocsp")
+local ngx_ssl = require("ngx.ssl")
+local radixtree_sni = require("apisix.ssl.router.radixtree_sni")
 local core = require("apisix.core")
-
 local apisix_ssl = require("apisix.ssl")
 local _, ssl = pcall(require, "resty.apisix.ssl")
 local error = error
-local plugin_name = "gm"
 
 
+local plugin_name = "ocsp"
+
 local plugin_schema = {
     type = "object",
     properties = {},
 }
 
 local _M = {
-    version  = 0.1,            -- plugin version
-    priority = -43,
-    name     = plugin_name,    -- plugin name
-    schema   = plugin_schema,  -- plugin schema
+    version  = 0.1,
+    priority = -42,
+    name     = plugin_name,
+    schema   = plugin_schema,
 }
 
 
@@ -62,21 +61,57 @@ local function get_ocsp_resp(ocsp_url, ocsp_req)
     })
 
     if not res then
-        core.log.error("OCSP responder query failed:", err, ", url:", ocsp_url)
-        return
+        return false, "OCSP responder query failed: " .. err
     end
 
     local http_status = res.status
     if http_status ~= 200 then
-        core.log.error("OCSP responder returns bad HTTP status code:",
-                       http_status, ", url:", ocsp_url)
-        return
+        return false, "OCSP responder returns bad HTTP status code: " .. http_status
+    end
+
+    return true, nil, res.body
+end
+
+
+local function get_ocsp_url_and_ocsp_req(pem_cert_chain)
+    local der_cert_chain, err = ngx_ssl.cert_pem_to_der(pem_cert_chain)
+    if not der_cert_chain then
+        return false, "failed to convert certificate chain from PEM to DER: " .. err
+    end
+
+    local ocsp_url, err = ngx_ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
+    if not ocsp_url then
+        return false, "failed to get OCSP url: " .. err
     end
 
-    return res.body
+    local ocsp_req, err = ocsp.create_ocsp_request(der_cert_chain)
+    if not ocsp_req then
+        return false, "failed to create OCSP request: " .. err
+    end
+
+    return true, nil, ocsp_url, ocsp_req
+end
+
+
+local function validate_and_set_ocsp_resp(der_cert_chain, ocsp_resp)
+    if ocsp_resp and #ocsp_resp > 0 then
+        local ok, err = ngx_ocsp.validate_ocsp_response(ocsp_resp, der_cert_chain)
+        if not ok then
+            return false, "failed to validate OCSP response: " .. err
+        end
+
+        -- set the OCSP stapling
+        ok, err = ngx_ocsp.set_ocsp_status_resp(ocsp_resp)
+        if not ok then
+            return false, "failed to set ocsp status resp: " .. err
+        end
+    end
+
+    return true
 end
 
 
+-- same as function set_pem_ssl_key() from "apisix.ssl.router.radixtree_sni" 
 local function set_pem_ssl_key(sni, cert, pkey)
     local r = get_request()
     if r == nil then
@@ -103,50 +138,20 @@ local function set_pem_ssl_key(sni, cert, pkey)
         return false, "failed to set PEM priv key: " .. err
     end
 
-    return true
-
-    local ocsp = require "ngx.ocsp"
-    local der_cert_chain, err = ngx_ssl.cert_pem_to_der(new_ssl_value.cert)
-    if not der_cert_chain then
-        core.log.error("failed to convert certificate chain ",
-                       "from PEM to DER: ", err)
-    end
-    local ocsp_url, err = ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
-    if not ocsp_url then
-        core.log.error("failed to get OCSP url:", err)
-    end
-
-    local ocsp_req, err = ocsp.create_ocsp_request(der_cert_chain)
-    if not ocsp_req then
-        core.log.error("failed to create OCSP request:", err)
-    end
-
-    local ocsp_resp = get_ocsp_resp(ocsp_url, ocsp_req)
-    if ocsp_resp and #ocsp_resp > 0 then
-        local ok, err = ocsp.validate_ocsp_response(ocsp_resp, der_cert_chain)
-        if not ok then
-            core.log.error("failed to validate OCSP response: ", err)
-        end
-        -- set the OCSP stapling
-        ok, err = ocsp.set_ocsp_status_resp(ocsp_resp)
-        if not ok then
-            core.log.error("failed to set ocsp status resp: ", err)
-        end
-    end
-
-
     return true
 end
 
 
 local original_set_cert_and_key
 local function set_cert_and_key(sni, value)
-    if value.gm then
+    -- maybe not run with gm
+    if value.ocsp_stapling then
         local ok, err = set_pem_ssl_key(sni, value.cert, value.key)
         if not ok then
             return false, err
         end
-    
+        local fin_cert = value.cert
+
         -- multiple certificates support.
         if value.certs then
             for i = 1, #value.certs do
@@ -157,53 +162,44 @@ local function set_cert_and_key(sni, value)
                 if not ok then
                     return false, err
                 end
+                fin_cert = cert
             end
         end
-    
-        return true
-        return set_pem_ssl_key(sni, enc_cert, enc_pkey, sign_cert, sign_pkey)
-    end
-    return original_set_cert_and_key(sni, value)
-end
 
-
-local original_check_ssl_conf
-local function check_ssl_conf(in_dp, conf)
-    if conf.gm then
-        -- process as GM certificate
-        -- For GM dual certificate, the `cert` and `key` will be encryption cert/key.
-        -- The first item in `certs` and `keys` will be sign cert/key.
-        local ok, err = original_check_ssl_conf(in_dp, conf)
-        -- check cert/key first in the original method
+        local ok, err, ocsp_url, ocsp_req = get_ocsp_url_and_ocsp_req(fin_cert)
         if not ok then
-            return nil, err
+            -- get ocsp url failed, maybe certificates not support
+            core.log.error(err)
+            return true
         end
-
-        -- Currently, APISIX doesn't check the cert type (ECDSA / RSA). So we skip the
-        -- check for now in this plugin.
-        local num_certs = conf.certs and #conf.certs or 0
-        local num_keys = conf.keys and #conf.keys or 0
-        if num_certs ~= 1 or num_keys ~= 1 then
-            return nil, "sign cert/key are required"
+        local ok, err, ocsp_resp = get_ocsp_resp(ocsp_url, ocsp_req)
+        if not ok then
+            -- get ocsp resp failed
+            core.log.error(err)
+            return true
+        end
+        ok, err = validate_and_set_ocsp_resp(ocsp_resp)
+        if not ok then
+            -- validate or set ocsp resp failed
+            core.log.error(err)
+            return true
         end
+
         return true
     end
-    return original_check_ssl_conf(in_dp, conf)
+    return original_set_cert_and_key(sni, value)
 end
 
 
 function _M.init()
     original_set_cert_and_key = radixtree_sni.set_cert_and_key
     radixtree_sni.set_cert_and_key = set_cert_and_key
-    original_check_ssl_conf = apisix_ssl.check_ssl_conf
-    apisix_ssl.check_ssl_conf = check_ssl_conf
 
-    if core.schema.ssl.properties.gm ~= nil then
-        error("Field 'gm' is occupied")
+    if core.schema.ssl.properties.ocsp_stapling ~= nil then
+        error("Field 'ocsp_stapling' is occupied")
     end
 
-    -- inject a mark to distinguish GM certificate
-    core.schema.ssl.properties.gm = {
+    core.schema.ssl.properties.ocsp_stapling = {
         type = "boolean"
     }
 end
@@ -211,10 +207,8 @@ end
 
 function _M.destroy()
     radixtree_sni.set_cert_and_key = original_set_cert_and_key
-    apisix_ssl.check_ssl_conf = original_check_ssl_conf
-    core.schema.ssl.properties.gm = nil
+    core.schema.ssl.properties.ocsp_stapling = nil
 end
 
 
-
 return _M

From 428fd863fd3c4cc78635e5a3c3de41267c92e550 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Fri, 5 Jan 2024 22:33:24 +0800
Subject: [PATCH 05/28] rename

---
 apisix/plugins/{ocsp.lua => ocsp-stapling.lua} | 0
 conf/config-default.yaml                       | 1 +
 t/plugin/{ocsp.t => ocsp-stapling.t}           | 0
 3 files changed, 1 insertion(+)
 rename apisix/plugins/{ocsp.lua => ocsp-stapling.lua} (100%)
 rename t/plugin/{ocsp.t => ocsp-stapling.t} (100%)

diff --git a/apisix/plugins/ocsp.lua b/apisix/plugins/ocsp-stapling.lua
similarity index 100%
rename from apisix/plugins/ocsp.lua
rename to apisix/plugins/ocsp-stapling.lua
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
index 6ab8db8aa608..e0411df3f3fd 100755
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@@ -523,6 +523,7 @@ plugins:                           # plugin list (sorted by priority)
   #- log-rotate                    # priority: 100
   # <- recommend to use priority (0, 100) for your custom plugins
   - example-plugin                 # priority: 0
+  #- ocsp-stapling                 # priority: -42
   #- gm                            # priority: -43
   - aws-lambda                     # priority: -1899
   - azure-functions                # priority: -1900
diff --git a/t/plugin/ocsp.t b/t/plugin/ocsp-stapling.t
similarity index 100%
rename from t/plugin/ocsp.t
rename to t/plugin/ocsp-stapling.t

From 2d7567b82f4aa81c642e85419c88e3f875c7c96c Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Fri, 5 Jan 2024 22:35:24 +0800
Subject: [PATCH 06/28] lint

---
 apisix/plugins/ocsp-stapling.lua | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/apisix/plugins/ocsp-stapling.lua b/apisix/plugins/ocsp-stapling.lua
index f42b92d662ff..4d0c14ba5d07 100644
--- a/apisix/plugins/ocsp-stapling.lua
+++ b/apisix/plugins/ocsp-stapling.lua
@@ -111,7 +111,7 @@ local function validate_and_set_ocsp_resp(der_cert_chain, ocsp_resp)
 end
 
 
--- same as function set_pem_ssl_key() from "apisix.ssl.router.radixtree_sni" 
+-- same as function set_pem_ssl_key() from "apisix.ssl.router.radixtree_sni"
 local function set_pem_ssl_key(sni, cert, pkey)
     local r = get_request()
     if r == nil then
@@ -157,7 +157,6 @@ local function set_cert_and_key(sni, value)
             for i = 1, #value.certs do
                 local cert = value.certs[i]
                 local key = value.keys[i]
-    
                 ok, err = set_pem_ssl_key(sni, cert, key)
                 if not ok then
                     return false, err

From 0e8924acf4e8239cecc1a03f1aaa760b6300fd15 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Sat, 6 Jan 2024 12:39:42 +0800
Subject: [PATCH 07/28] run successfully

---
 apisix/plugins/ocsp-stapling.lua | 93 +++++++++++++++++---------------
 1 file changed, 51 insertions(+), 42 deletions(-)

diff --git a/apisix/plugins/ocsp-stapling.lua b/apisix/plugins/ocsp-stapling.lua
index 4d0c14ba5d07..526f1b29d701 100644
--- a/apisix/plugins/ocsp-stapling.lua
+++ b/apisix/plugins/ocsp-stapling.lua
@@ -50,7 +50,27 @@ function _M.check_schema(conf, schema_type)
 end
 
 
-local function get_ocsp_resp(ocsp_url, ocsp_req)
+local function get_ocsp_url(der_cert_chain)
+    local ocsp_url, err = ngx_ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
+    if not ocsp_url then
+        core.log.error("failed to get OCSP url: ", err)
+        return nil
+    end
+    return ocsp_url
+end
+
+
+local function create_ocsp_req(der_cert_chain)
+    local ocsp_req, err = ngx_ocsp.create_ocsp_request(der_cert_chain)
+    if not ocsp_req then
+        core.log.error("failed to create OCSP request: ", err)
+        return nil
+    end
+    return ocsp_req
+end
+
+
+local function fetch_ocsp_resp(ocsp_url, ocsp_req)
     local httpc = http.new()
     local res, err = httpc:request_uri(ocsp_url, {
         method = "POST",
@@ -61,35 +81,17 @@ local function get_ocsp_resp(ocsp_url, ocsp_req)
     })
 
     if not res then
-        return false, "OCSP responder query failed: " .. err
+        core.log.error("OCSP responder query failed: ", err)
+        return nil
     end
 
     local http_status = res.status
     if http_status ~= 200 then
-        return false, "OCSP responder returns bad HTTP status code: " .. http_status
-    end
-
-    return true, nil, res.body
-end
-
-
-local function get_ocsp_url_and_ocsp_req(pem_cert_chain)
-    local der_cert_chain, err = ngx_ssl.cert_pem_to_der(pem_cert_chain)
-    if not der_cert_chain then
-        return false, "failed to convert certificate chain from PEM to DER: " .. err
+        core.log.error("OCSP responder returns bad HTTP status code: ",
+                       http_status)
+        return nil
     end
-
-    local ocsp_url, err = ngx_ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
-    if not ocsp_url then
-        return false, "failed to get OCSP url: " .. err
-    end
-
-    local ocsp_req, err = ocsp.create_ocsp_request(der_cert_chain)
-    if not ocsp_req then
-        return false, "failed to create OCSP request: " .. err
-    end
-
-    return true, nil, ocsp_url, ocsp_req
+    return res.body
 end
 
 
@@ -97,17 +99,18 @@ local function validate_and_set_ocsp_resp(der_cert_chain, ocsp_resp)
     if ocsp_resp and #ocsp_resp > 0 then
         local ok, err = ngx_ocsp.validate_ocsp_response(ocsp_resp, der_cert_chain)
         if not ok then
-            return false, "failed to validate OCSP response: " .. err
+            core.log.error("failed to validate OCSP response: ", err)
+            return false
         end
 
         -- set the OCSP stapling
         ok, err = ngx_ocsp.set_ocsp_status_resp(ocsp_resp)
-        if not ok then
-            return false, "failed to set ocsp status resp: " .. err
+        if err then
+            core.log.error("failed to set ocsp status resp: ", err)
         end
+        return ok
     end
-
-    return true
+    return false
 end
 
 
@@ -165,25 +168,31 @@ local function set_cert_and_key(sni, value)
             end
         end
 
-        local ok, err, ocsp_url, ocsp_req = get_ocsp_url_and_ocsp_req(fin_cert)
-        if not ok then
-            -- get ocsp url failed, maybe certificates not support
-            core.log.error(err)
+        local der_cert_chain, err = ngx_ssl.cert_pem_to_der(fin_cert)
+        if not der_cert_chain then
+            -- cert convert failed, no ocsp response sent
+            core.log.error("failed to convert certificate chain from PEM to DER: ", err)
             return true
         end
-        local ok, err, ocsp_resp = get_ocsp_resp(ocsp_url, ocsp_req)
-        if not ok then
-            -- get ocsp resp failed
-            core.log.error(err)
+        local ocsp_url = get_ocsp_url(der_cert_chain)
+        if not ocsp_url then
+            -- get ocsp_url failed, maybe cert not support,
+            -- no ocsp response sent
             return true
         end
-        ok, err = validate_and_set_ocsp_resp(ocsp_resp)
-        if not ok then
-            -- validate or set ocsp resp failed
-            core.log.error(err)
+        local ocsp_req = create_ocsp_req(der_cert_chain)
+        if not ocsp_req then
+            -- create ocsp_req body failed, no ocsp response sent
             return true
         end
+        local ocsp_resp = fetch_ocsp_resp(ocsp_url, ocsp_req)
+        local ok = validate_and_set_ocsp_resp(der_cert_chain, ocsp_resp)
+        if not ok then
+            -- validate and set ocsp_resp failed, no ocsp response sent
+            core.log.error("failed to validate and set ocsp_resp")
+        end
 
+        -- ocsp response send
         return true
     end
     return original_set_cert_and_key(sni, value)

From 4273ac37a2f3d0446718b43af1e3e170311bfdc5 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Sat, 6 Jan 2024 15:23:06 +0800
Subject: [PATCH 08/28] plugin with cache

---
 apisix/plugins/ocsp-stapling.lua | 151 ++++++++++++++-----------------
 1 file changed, 68 insertions(+), 83 deletions(-)

diff --git a/apisix/plugins/ocsp-stapling.lua b/apisix/plugins/ocsp-stapling.lua
index 526f1b29d701..6ea0152de93d 100644
--- a/apisix/plugins/ocsp-stapling.lua
+++ b/apisix/plugins/ocsp-stapling.lua
@@ -29,8 +29,7 @@ local apisix_ssl = require("apisix.ssl")
 local _, ssl = pcall(require, "resty.apisix.ssl")
 local error = error
 
-
-local plugin_name = "ocsp"
+local plugin_name = "ocsp-stapling"
 
 local plugin_schema = {
     type = "object",
@@ -38,10 +37,14 @@ local plugin_schema = {
 }
 
 local _M = {
-    version  = 0.1,
+    name = plugin_name,
+    schema = plugin_schema,
+    version = 0.1,
     priority = -42,
-    name     = plugin_name,
-    schema   = plugin_schema,
+}
+
+local ocsp_resp_cache = core.lrucache.new {
+    ttl = 3600, count = 1024,
 }
 
 
@@ -50,27 +53,50 @@ function _M.check_schema(conf, schema_type)
 end
 
 
-local function get_ocsp_url(der_cert_chain)
-    local ocsp_url, err = ngx_ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
-    if not ocsp_url then
-        core.log.error("failed to get OCSP url: ", err)
-        return nil
+-- same as function set_pem_ssl_key() from "apisix.ssl.router.radixtree_sni"
+local function set_pem_ssl_key(sni, cert, pkey)
+    local r = get_request()
+    if r == nil then
+        return false, "no request found"
+    end
+
+    local parsed_cert, err = apisix_ssl.fetch_cert(sni, cert)
+    if not parsed_cert then
+        return false, "failed to parse PEM cert: " .. err
     end
-    return ocsp_url
+
+    local ok, err = ngx_ssl.set_cert(parsed_cert)
+    if not ok then
+        return false, "failed to set PEM cert: " .. err
+    end
+
+    local parsed_pkey, err = apisix_ssl.fetch_pkey(sni, pkey)
+    if not parsed_pkey then
+        return false, "failed to parse PEM priv key: " .. err
+    end
+
+    ok, err = ngx_ssl.set_priv_key(parsed_pkey)
+    if not ok then
+        return false, "failed to set PEM priv key: " .. err
+    end
+
+    return true
 end
 
 
-local function create_ocsp_req(der_cert_chain)
+local function get_remote_ocsp_resp(der_cert_chain)
+    --- debug info
+    core.log.error("start to get_remote_ocsp_resp")
+    local ocsp_url, err = ngx_ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
+    if not ocsp_url then
+        return nil, "failed to get OCSP url: " .. err
+    end
+
     local ocsp_req, err = ngx_ocsp.create_ocsp_request(der_cert_chain)
     if not ocsp_req then
-        core.log.error("failed to create OCSP request: ", err)
-        return nil
+        return nil, "failed to create OCSP request: " .. err
     end
-    return ocsp_req
-end
-
 
-local function fetch_ocsp_resp(ocsp_url, ocsp_req)
     local httpc = http.new()
     local res, err = httpc:request_uri(ocsp_url, {
         method = "POST",
@@ -81,64 +107,43 @@ local function fetch_ocsp_resp(ocsp_url, ocsp_req)
     })
 
     if not res then
-        core.log.error("OCSP responder query failed: ", err)
-        return nil
+        return nil, "OCSP responder query failed: " .. err
     end
 
     local http_status = res.status
     if http_status ~= 200 then
-        core.log.error("OCSP responder returns bad HTTP status code: ",
-                       http_status)
-        return nil
+        return nil, "OCSP responder returns bad HTTP status code: "
+               .. http_status
     end
-    return res.body
-end
-
 
-local function validate_and_set_ocsp_resp(der_cert_chain, ocsp_resp)
-    if ocsp_resp and #ocsp_resp > 0 then
-        local ok, err = ngx_ocsp.validate_ocsp_response(ocsp_resp, der_cert_chain)
-        if not ok then
-            core.log.error("failed to validate OCSP response: ", err)
-            return false
-        end
-
-        -- set the OCSP stapling
-        ok, err = ngx_ocsp.set_ocsp_status_resp(ocsp_resp)
-        if err then
-            core.log.error("failed to set ocsp status resp: ", err)
-        end
-        return ok
+    if res.body and #res.body > 0 then
+        return res.body, nil
     end
-    return false
+
+    return nil, "OCSP responder returns empty body"
 end
 
 
--- same as function set_pem_ssl_key() from "apisix.ssl.router.radixtree_sni"
-local function set_pem_ssl_key(sni, cert, pkey)
-    local r = get_request()
-    if r == nil then
-        return false, "no request found"
+local function set_ocsp_resp(full_chain_pem_cert)
+    local der_cert_chain, err = ngx_ssl.cert_pem_to_der(full_chain_pem_cert)
+    if not der_cert_chain then
+        return false, "failed to convert certificate chain from PEM to DER: ", err
     end
 
-    local parsed_cert, err = apisix_ssl.fetch_cert(sni, cert)
-    if not parsed_cert then
-        return false, "failed to parse PEM cert: " .. err
+    local ocsp_resp, err = ocsp_resp_cache(full_chain_pem_cert, nil, get_remote_ocsp_resp, der_cert_chain)
+    if not ocsp_resp then
+        return false, err
     end
 
-    local ok, err = ngx_ssl.set_cert(parsed_cert)
+    local ok, err = ngx_ocsp.validate_ocsp_response(ocsp_resp, der_cert_chain)
     if not ok then
-        return false, "failed to set PEM cert: " .. err
-    end
-
-    local parsed_pkey, err = apisix_ssl.fetch_pkey(sni, pkey)
-    if not parsed_pkey then
-        return false, "failed to parse PEM priv key: " .. err
+        return false, "failed to validate OCSP response: " .. err
     end
 
-    ok, err = ngx_ssl.set_priv_key(parsed_pkey)
-    if not ok then
-        return false, "failed to set PEM priv key: " .. err
+    -- set the OCSP stapling
+    ok, err = ngx_ocsp.set_ocsp_status_resp(ocsp_resp)
+    if not ok or err ~= nil then
+        return false, "failed to set OCSP status response: " .. err
     end
 
     return true
@@ -153,7 +158,7 @@ local function set_cert_and_key(sni, value)
         if not ok then
             return false, err
         end
-        local fin_cert = value.cert
+        local fin_pem_cert = value.cert
 
         -- multiple certificates support.
         if value.certs then
@@ -164,35 +169,15 @@ local function set_cert_and_key(sni, value)
                 if not ok then
                     return false, err
                 end
-                fin_cert = cert
+                fin_pem_cert = cert
             end
         end
 
-        local der_cert_chain, err = ngx_ssl.cert_pem_to_der(fin_cert)
-        if not der_cert_chain then
-            -- cert convert failed, no ocsp response sent
-            core.log.error("failed to convert certificate chain from PEM to DER: ", err)
-            return true
-        end
-        local ocsp_url = get_ocsp_url(der_cert_chain)
-        if not ocsp_url then
-            -- get ocsp_url failed, maybe cert not support,
-            -- no ocsp response sent
-            return true
-        end
-        local ocsp_req = create_ocsp_req(der_cert_chain)
-        if not ocsp_req then
-            -- create ocsp_req body failed, no ocsp response sent
-            return true
-        end
-        local ocsp_resp = fetch_ocsp_resp(ocsp_url, ocsp_req)
-        local ok = validate_and_set_ocsp_resp(der_cert_chain, ocsp_resp)
+        local ok, err = set_ocsp_resp(fin_pem_cert)
         if not ok then
-            -- validate and set ocsp_resp failed, no ocsp response sent
-            core.log.error("failed to validate and set ocsp_resp")
+            core.log.error("OCSP response will not send, Error info: ", err)
         end
 
-        -- ocsp response send
         return true
     end
     return original_set_cert_and_key(sni, value)

From e75e11a103df8d5b8504272fa32caec03434b84c Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Sat, 6 Jan 2024 21:52:17 +0800
Subject: [PATCH 09/28] not run with gm

---
 apisix/plugins/ocsp-stapling.lua | 17 +++++++++--------
 conf/config-default.yaml         |  2 +-
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/apisix/plugins/ocsp-stapling.lua b/apisix/plugins/ocsp-stapling.lua
index 6ea0152de93d..9e71c937ab06 100644
--- a/apisix/plugins/ocsp-stapling.lua
+++ b/apisix/plugins/ocsp-stapling.lua
@@ -26,8 +26,6 @@ local ngx_ssl = require("ngx.ssl")
 local radixtree_sni = require("apisix.ssl.router.radixtree_sni")
 local core = require("apisix.core")
 local apisix_ssl = require("apisix.ssl")
-local _, ssl = pcall(require, "resty.apisix.ssl")
-local error = error
 
 local plugin_name = "ocsp-stapling"
 
@@ -40,7 +38,7 @@ local _M = {
     name = plugin_name,
     schema = plugin_schema,
     version = 0.1,
-    priority = -42,
+    priority = -44,
 }
 
 local ocsp_resp_cache = core.lrucache.new {
@@ -85,8 +83,6 @@ end
 
 
 local function get_remote_ocsp_resp(der_cert_chain)
-    --- debug info
-    core.log.error("start to get_remote_ocsp_resp")
     local ocsp_url, err = ngx_ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
     if not ocsp_url then
         return nil, "failed to get OCSP url: " .. err
@@ -152,8 +148,7 @@ end
 
 local original_set_cert_and_key
 local function set_cert_and_key(sni, value)
-    -- maybe not run with gm
-    if value.ocsp_stapling then
+    if not value.gm and value.ocsp_stapling then
         local ok, err = set_pem_ssl_key(sni, value.cert, value.key)
         if not ok then
             return false, err
@@ -180,16 +175,22 @@ local function set_cert_and_key(sni, value)
 
         return true
     end
+    -- should not run with gm plugin
+    -- if gm plugin enabled, will not run ocsp-stapling plugin
     return original_set_cert_and_key(sni, value)
 end
 
 
 function _M.init()
+    if core.schema.ssl.properties.gm ~= nil then
+        core.log.error("ocsp-stapling plugin should not run with gm plugin")
+    end
+
     original_set_cert_and_key = radixtree_sni.set_cert_and_key
     radixtree_sni.set_cert_and_key = set_cert_and_key
 
     if core.schema.ssl.properties.ocsp_stapling ~= nil then
-        error("Field 'ocsp_stapling' is occupied")
+        core.log.error("Field 'ocsp_stapling' is occupied")
     end
 
     core.schema.ssl.properties.ocsp_stapling = {
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
index e0411df3f3fd..bf9016725e22 100755
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@@ -523,8 +523,8 @@ plugins:                           # plugin list (sorted by priority)
   #- log-rotate                    # priority: 100
   # <- recommend to use priority (0, 100) for your custom plugins
   - example-plugin                 # priority: 0
-  #- ocsp-stapling                 # priority: -42
   #- gm                            # priority: -43
+  #- ocsp-stapling                  # priority: -44
   - aws-lambda                     # priority: -1899
   - azure-functions                # priority: -1900
   - openwhisk                      # priority: -1901

From 48a7a065de99f3983a80b2f406dfd8f086176a58 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Tue, 9 Jan 2024 22:27:52 +0800
Subject: [PATCH 10/28] fix: nil error

---
 apisix/plugins/ocsp-stapling.lua | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/apisix/plugins/ocsp-stapling.lua b/apisix/plugins/ocsp-stapling.lua
index 9e71c937ab06..daea137fd744 100644
--- a/apisix/plugins/ocsp-stapling.lua
+++ b/apisix/plugins/ocsp-stapling.lua
@@ -83,14 +83,14 @@ end
 
 
 local function get_remote_ocsp_resp(der_cert_chain)
-    local ocsp_url, err = ngx_ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
+    local ocsp_url = ngx_ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
     if not ocsp_url then
-        return nil, "failed to get OCSP url: " .. err
+        return nil, "failed to get ocsp url"
     end
 
     local ocsp_req, err = ngx_ocsp.create_ocsp_request(der_cert_chain)
     if not ocsp_req then
-        return nil, "failed to create OCSP request: " .. err
+        return nil, "failed to create ocsp request: " .. err
     end
 
     local httpc = http.new()
@@ -103,12 +103,12 @@ local function get_remote_ocsp_resp(der_cert_chain)
     })
 
     if not res then
-        return nil, "OCSP responder query failed: " .. err
+        return nil, "ocsp responder query failed: " .. err
     end
 
     local http_status = res.status
     if http_status ~= 200 then
-        return nil, "OCSP responder returns bad HTTP status code: "
+        return nil, "ocsp responder returns bad http status code: "
                .. http_status
     end
 
@@ -116,7 +116,7 @@ local function get_remote_ocsp_resp(der_cert_chain)
         return res.body, nil
     end
 
-    return nil, "OCSP responder returns empty body"
+    return nil, "ocsp responder returns empty body"
 end
 
 
@@ -133,13 +133,13 @@ local function set_ocsp_resp(full_chain_pem_cert)
 
     local ok, err = ngx_ocsp.validate_ocsp_response(ocsp_resp, der_cert_chain)
     if not ok then
-        return false, "failed to validate OCSP response: " .. err
+        return false, "failed to validate ocsp response: " .. err
     end
 
     -- set the OCSP stapling
     ok, err = ngx_ocsp.set_ocsp_status_resp(ocsp_resp)
     if not ok or err ~= nil then
-        return false, "failed to set OCSP status response: " .. err
+        return false, "failed to set ocsp status response: " .. err
     end
 
     return true
@@ -170,7 +170,7 @@ local function set_cert_and_key(sni, value)
 
         local ok, err = set_ocsp_resp(fin_pem_cert)
         if not ok then
-            core.log.error("OCSP response will not send, Error info: ", err)
+            core.log.error("ocsp response will not send, error info: ", err)
         end
 
         return true

From faf334a0bfebe4b6340eb029e822e0112de65903 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Wed, 10 Jan 2024 00:10:04 +0800
Subject: [PATCH 11/28] main func ok

---
 apisix/plugins/ocsp-stapling.lua | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/apisix/plugins/ocsp-stapling.lua b/apisix/plugins/ocsp-stapling.lua
index daea137fd744..e10d3cd5af32 100644
--- a/apisix/plugins/ocsp-stapling.lua
+++ b/apisix/plugins/ocsp-stapling.lua
@@ -46,7 +46,7 @@ local ocsp_resp_cache = core.lrucache.new {
 }
 
 
-function _M.check_schema(conf, schema_type)
+function _M.check_schema(conf)
     return core.schema.check(plugin_schema, conf)
 end
 
@@ -126,7 +126,8 @@ local function set_ocsp_resp(full_chain_pem_cert)
         return false, "failed to convert certificate chain from PEM to DER: ", err
     end
 
-    local ocsp_resp, err = ocsp_resp_cache(full_chain_pem_cert, nil, get_remote_ocsp_resp, der_cert_chain)
+    local ocsp_resp, err = ocsp_resp_cache(full_chain_pem_cert, nil,
+                                           get_remote_ocsp_resp, der_cert_chain)
     if not ocsp_resp then
         return false, err
     end

From 0a747873bbe22fed2170d6f6c946a1bfc44e7394 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Thu, 11 Jan 2024 00:45:07 +0800
Subject: [PATCH 12/28] working on t file

---
 t/plugin/ocsp-stapling.t | 235 +++++++++++++++++++++++++++++++++++----
 1 file changed, 216 insertions(+), 19 deletions(-)

diff --git a/t/plugin/ocsp-stapling.t b/t/plugin/ocsp-stapling.t
index 1cb501dddc64..2eb3088f9b2f 100644
--- a/t/plugin/ocsp-stapling.t
+++ b/t/plugin/ocsp-stapling.t
@@ -26,34 +26,76 @@ no_shuffle();
 add_block_preprocessor(sub {
     my ($block) = @_;
 
+    # setup default conf.yaml
+    my $extra_yaml_config = $block->extra_yaml_config // <<_EOC_;
+plugins:
+    - ocsp-stapling
+_EOC_
+
+    $block->set_value("extra_yaml_config", $extra_yaml_config);
+
     if (!$block->request) {
         $block->set_value("request", "GET /t");
     }
 });
 
-run_tests();
+run_tests;
 
 __DATA__
 
-=== TEST 1: set ssl
+=== TEST 1: disable ocsp-stapling plugin
+--- extra_yaml_config
 --- config
 location /t {
     content_by_lua_block {
         local core = require("apisix.core")
         local t = require("lib.test_admin")
 
-        local f = assert(io.open("t/certs/server_sign.crt"))
-        local cert = f:read("*a")
-        f:close()
+        local ssl_cert = t.read_file("t/certs/apisix.crt")
+        local ssl_key =  t.read_file("t/certs/apisix.key")
+
+        local data = {
+            cert = ssl_cert,
+            key = ssl_key,
+            sni = "test.com",
+            ocsp_stapling = true
+        }
+
+        local code, body = t.test('/apisix/admin/ssls/1',
+            ngx.HTTP_PUT,
+            core.json.encode(data)
+        )
+
+        if code >= 300 then
+            ngx.status = code
+            ngx.say(body)
+            return
+        end
+
+        ngx.say(body)
+    }
+}
+--- error_code: 400
+--- error_log
+additional properties forbidden, found ocsp_stapling
+
+
+
+=== TEST 2: enable ocsp-stapling plugin, set cert which not support ocsp
+--- config
+location /t {
+    content_by_lua_block {
+        local core = require("apisix.core")
+        local t = require("lib.test_admin")
 
-        local f = assert(io.open("t/certs/server_sign.key"))
-        local pkey_sign = f:read("*a")
-        f:close()
+        local ssl_cert = t.read_file("t/certs/apisix.crt")
+        local ssl_key =  t.read_file("t/certs/apisix.key")
 
         local data = {
-            cert = cert_enc,
-            key = pkey_enc,
-            sni = "localhost",
+            cert = ssl_cert,
+            key = ssl_key,
+            sni = "test.com",
+            ocsp_stapling = true
         }
 
         local code, body = t.test('/apisix/admin/ssls/1',
@@ -67,22 +109,177 @@ location /t {
             return
         end
 
-        local code, body = t.test('/apisix/admin/routes/1',
+        ngx.say(body)
+    }
+}
+--- response_body
+passed
+
+
+
+=== TEST 3: no response send, get ocsp responder url failed:1
+--- exec
+openssl s_client -connect localhost:1994 -servername test.com -status
+--- response_body_like eval
+qr/CONNECTED/
+--- error_log
+ocsp response will not send, error info: failed to get ocsp url: nil
+
+
+
+=== TEST 4: no response send, get ocsp responder url failed:2
+--- exec
+openssl s_client -connect localhost:1994 -servername test.com -status
+--- response_body_like eval
+qr/OCSP response: no response sent/
+--- error_log
+ocsp response will not send, error info: failed to get ocsp url: nil
+
+
+
+=== TEST 5: enable ocsp-stapling plugin, set cert which support ocsp
+--- config
+location /t {
+    content_by_lua_block {
+        local core = require("apisix.core")
+        local t = require("lib.test_admin")
+
+        local ssl_cert = t.read_file("t/certs/ocsp/ocsp_rsa.crt")
+        local ssl_key =  t.read_file("t/certs/ocsp/ocsp_rsa.key")
+
+        local data = {
+            cert = ssl_cert,
+            key = ssl_key,
+            sni = "ocsp.test.com",
+            ocsp_stapling = true
+        }
+
+        local code, body = t.test('/apisix/admin/ssls/1',
             ngx.HTTP_PUT,
+            core.json.encode(data)
+        )
+
+        if code >= 300 then
+            ngx.status = code
+            ngx.say(body)
+            return
+        end
+
+        ngx.say(body)
+    }
+}
+--- response_body
+passed
+
+
+
+=== TEST 6: hit, get ocsp response:1
+--- exec
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/ca.crt -rkey t/certs/ocsp/ca.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
+--- response_body_like eval
+qr/CONNECTED/
+
+
+
+=== TEST 7: hit, get ocsp response:2
+--- exec
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/ca.crt -rkey t/certs/ocsp/ca.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
+--- response_body_like eval
+qr/OCSP Response Status: successful/
+
+
+
+=== TEST 8: enable ocsp-stapling plugin, set muilt cert which support ocsp
+--- config
+location /t {
+    content_by_lua_block {
+        local core = require("apisix.core")
+        local t = require("lib.test_admin")
+
+        local rsa_cert = t.read_file("t/certs/ocsp/ocsp_rsa.crt")
+        local rsa_key =  t.read_file("t/certs/ocsp/ocsp_rsa.key")
+
+        local ecc_cert = t.read_file("t/certs/ocsp/ocsp_ecc.crt")
+        local ecc_key =  t.read_file("t/certs/ocsp/ocsp_ecc.key")
+
+        local data = {
+            cert = rsa_cert,
+            key = rsa_key,
+            certs = { ecc_cert },
+            keys = { ecc_key },
+            sni = "ocsp.test.com",
+            ocsp_stapling = true
+        }
+
+        local code, body = t.test('/apisix/admin/ssls/1',
+            ngx.HTTP_PUT,
+            core.json.encode(data),
             [[{
-                "upstream": {
-                    "nodes": {
-                        "127.0.0.1:1980": 1
-                    },
-                    "type": "roundrobin"
+                "value": {
+                    "sni": "ocsp.test.com"
                 },
-                "uri": "/echo"
+                "key": "/apisix/ssls/1"
             }]]
         )
-
+        ngx.status = code
         ngx.say(body)
     }
 }
 --- response_body
 passed
 
+
+
+=== TEST 9: hit rsa cert, get ocsp response:1
+--- exec
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/ca.crt -rkey t/certs/ocsp/ca.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher 
+--- response_body_like eval
+qr/CONNECTED/
+
+
+
+=== TEST 10: hit rsa cert, get ocsp response:2
+--- exec
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/ca.crt -rkey t/certs/ocsp/ca.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher 
+--- response_body_like eval
+qr/OCSP Response Status: successful/
+
+
+
+=== TEST 11: hit rsa cert, get ocsp response:3
+--- exec
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/ca.crt -rkey t/certs/ocsp/ca.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher 
+--- response_body_like eval
+qr/OCSP Response Status: successful/
+
+
+
+=== TEST 12: hit ecc cert, get ocsp response:1
+--- exec
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/ca.crt -rkey t/certs/ocsp/ca.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher 
+--- response_body_like eval
+qr/CONNECTED/
+
+
+
+=== TEST 13: hit ecc cert, get ocsp response:2
+--- exec
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/ca.crt -rkey t/certs/ocsp/ca.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher 
+--- response_body_like eval
+qr/OCSP Response Status: successful/
+
+
+
+=== TEST 14: hit rsa cert, get ocsp response:3
+--- exec
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/ca.crt -rkey t/certs/ocsp/ca.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher 
+--- response_body_like eval
+qr/OCSP Response Status: successful/

From 8fbd205a46059993f04fdcc99128e1f1d96dffaa Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Thu, 11 Jan 2024 00:47:23 +0800
Subject: [PATCH 13/28] fix

---
 apisix/plugins/ocsp-stapling.lua | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/apisix/plugins/ocsp-stapling.lua b/apisix/plugins/ocsp-stapling.lua
index e10d3cd5af32..d77ca2f6c6ab 100644
--- a/apisix/plugins/ocsp-stapling.lua
+++ b/apisix/plugins/ocsp-stapling.lua
@@ -83,9 +83,14 @@ end
 
 
 local function get_remote_ocsp_resp(der_cert_chain)
-    local ocsp_url = ngx_ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
+    local ocsp_url, err = ngx_ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
+    -- if cert not support ocsp, will not report error
+    if not err then
+        err = "nil"
+    end
+
     if not ocsp_url then
-        return nil, "failed to get ocsp url"
+        return nil, "failed to get ocsp url: " .. err
     end
 
     local ocsp_req, err = ngx_ocsp.create_ocsp_request(der_cert_chain)

From 77871e03e6387a553081d16e61da84b0307367a5 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Thu, 11 Jan 2024 22:47:08 +0800
Subject: [PATCH 14/28] base t ok

---
 t/plugin/ocsp-stapling.t | 184 +++++++++++++++++++++++++++++++++------
 1 file changed, 159 insertions(+), 25 deletions(-)

diff --git a/t/plugin/ocsp-stapling.t b/t/plugin/ocsp-stapling.t
index 2eb3088f9b2f..6516ee57fe00 100644
--- a/t/plugin/ocsp-stapling.t
+++ b/t/plugin/ocsp-stapling.t
@@ -175,7 +175,7 @@ passed
 
 === TEST 6: hit, get ocsp response:1
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/ca.crt -rkey t/certs/ocsp/ca.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
 openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
 --- response_body_like eval
 qr/CONNECTED/
@@ -184,14 +184,14 @@ qr/CONNECTED/
 
 === TEST 7: hit, get ocsp response:2
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/ca.crt -rkey t/certs/ocsp/ca.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
 openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
 --- response_body_like eval
-qr/OCSP Response Status: successful/
+qr/Cert Status: good/
 
 
 
-=== TEST 8: enable ocsp-stapling plugin, set muilt cert which support ocsp
+=== TEST 8: enable ocsp-stapling plugin, set muilt cert with ocsp support
 --- config
 location /t {
     content_by_lua_block {
@@ -232,54 +232,188 @@ passed
 
 
 
-=== TEST 9: hit rsa cert, get ocsp response:1
+=== TEST 9: hit ecc cert, get ocsp response:1
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/ca.crt -rkey t/certs/ocsp/ca.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher 
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256
 --- response_body_like eval
 qr/CONNECTED/
 
 
 
-=== TEST 10: hit rsa cert, get ocsp response:2
+=== TEST 10: hit ecc cert, get ocsp response:2
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/ca.crt -rkey t/certs/ocsp/ca.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher 
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256
 --- response_body_like eval
-qr/OCSP Response Status: successful/
+qr/Peer signature type: ECDSA/
 
 
 
-=== TEST 11: hit rsa cert, get ocsp response:3
+=== TEST 11: hit ecc cert, get ocsp response:3
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/ca.crt -rkey t/certs/ocsp/ca.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher 
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256
 --- response_body_like eval
-qr/OCSP Response Status: successful/
+qr/Cert Status: good/
 
 
 
-=== TEST 12: hit ecc cert, get ocsp response:1
+=== TEST 12: hit rsa cert, get ocsp response:1
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/ca.crt -rkey t/certs/ocsp/ca.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher 
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256
 --- response_body_like eval
 qr/CONNECTED/
 
 
 
-=== TEST 13: hit ecc cert, get ocsp response:2
+=== TEST 13: hit rsa cert, get ocsp response:2
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/ca.crt -rkey t/certs/ocsp/ca.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher 
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256
 --- response_body_like eval
-qr/OCSP Response Status: successful/
+qr/Peer signature type: RSA/
 
 
 
 === TEST 14: hit rsa cert, get ocsp response:3
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/ca.crt -rkey t/certs/ocsp/ca.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher 
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256
 --- response_body_like eval
-qr/OCSP Response Status: successful/
+qr/Cert Status: good/
+
+
+
+=== TEST 15: enable ocsp-stapling plugin, set cert which support ocsp and revoked
+--- config
+location /t {
+    content_by_lua_block {
+        local core = require("apisix.core")
+        local t = require("lib.test_admin")
+
+        local ssl_cert = t.read_file("t/certs/ocsp/ocsp_rsa_revoked.crt")
+        local ssl_key =  t.read_file("t/certs/ocsp/ocsp_rsa_revoked.key")
+    
+        local data = {
+            cert = ssl_cert,
+            key = ssl_key,
+            sni = "ocsp.test.com",
+            ocsp_stapling = true
+        }
+
+        local code, body = t.test('/apisix/admin/ssls/1',
+            ngx.HTTP_PUT,
+            core.json.encode(data)
+        )
+
+        if code >= 300 then
+            ngx.status = code
+            ngx.say(body)
+            return
+        end
+
+        ngx.say(body)
+    }
+}
+--- response_body
+passed
+
+
+
+=== TEST 16: hit revoked rsa cert, no ocsp response send:1
+--- exec
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
+--- response_body_like eval
+qr/CONNECTED/
+--- error_log
+ocsp response will not send, error info: failed to validate ocsp response: certificate status "revoked" in the OCSP response
+
+
+
+=== TEST 17: hit revoked rsa cert, no ocsp response send:2
+--- exec
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
+--- response_body_like eval
+qr/OCSP response: no response sent/
+--- error_log
+ocsp response will not send, error info: failed to validate ocsp response: certificate status "revoked" in the OCSP response
+
+
+
+=== TEST 18: hit revoked rsa cert, no ocsp response send:3
+--- exec
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
+--- error_log
+ocsp response will not send, error info: failed to validate ocsp response: certificate status "revoked" in the OCSP response
+
+
+
+=== TEST 19: enable ocsp-stapling plugin, set cert which support ocsp and unknown status
+--- config
+location /t {
+    content_by_lua_block {
+        local core = require("apisix.core")
+        local t = require("lib.test_admin")
+
+        local ssl_cert = t.read_file("t/certs/ocsp/ocsp_rsa_unknown.crt")
+        local ssl_key =  t.read_file("t/certs/ocsp/ocsp_rsa_unknown.key")
+    
+        local data = {
+            cert = ssl_cert,
+            key = ssl_key,
+            sni = "ocsp.test.com",
+            ocsp_stapling = true
+        }
+
+        local code, body = t.test('/apisix/admin/ssls/1',
+            ngx.HTTP_PUT,
+            core.json.encode(data)
+        )
+
+        if code >= 300 then
+            ngx.status = code
+            ngx.say(body)
+            return
+        end
+
+        ngx.say(body)
+    }
+}
+--- response_body
+passed
+
+
+
+=== TEST 20: hit unknown rsa cert, no ocsp response send:1
+--- exec
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
+--- response_body_like eval
+qr/CONNECTED/
+--- error_log
+ocsp response will not send, error info: failed to validate ocsp response: certificate status "unknown" in the OCSP response
+
+
+
+=== TEST 21: hit unknown rsa cert, no ocsp response send:2
+--- exec
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
+--- response_body_like eval
+qr/OCSP response: no response sent/
+--- error_log
+ocsp response will not send, error info: failed to validate ocsp response: certificate status "unknown" in the OCSP response
+
+
+
+=== TEST 22: hit unknown rsa cert, no ocsp response send:3
+--- exec
+openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
+openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
+--- error_log
+ocsp response will not send, error info: failed to validate ocsp response: certificate status "unknown" in the OCSP response

From 47f767903b38f6f9e560963c9d0f793b3d2c8a54 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Fri, 12 Jan 2024 01:03:05 +0800
Subject: [PATCH 15/28] try get status req ext

---
 apisix/cli/ngx_tpl.lua           |  4 ++++
 apisix/plugins/ocsp-stapling.lua | 15 +++++++------
 apisix/ssl.lua                   | 36 ++++++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+), 6 deletions(-)

diff --git a/apisix/cli/ngx_tpl.lua b/apisix/cli/ngx_tpl.lua
index d8cc2550266c..532debe0ac4e 100644
--- a/apisix/cli/ngx_tpl.lua
+++ b/apisix/cli/ngx_tpl.lua
@@ -333,6 +333,10 @@ http {
     lua_shared_dict access-tokens {* http.lua_shared_dict["access-tokens"] *}; # cache for service account access tokens
     {% end %}
 
+    {% if enabled_plugins["ocsp-stapling"] then %}
+    lua_shared_dict ocsp-stapling {* http.lua_shared_dict["ocsp-stapling"] *}; # cache for ocsp-stapling
+    {% end %}
+
     {% if enabled_plugins["ext-plugin-pre-req"] or enabled_plugins["ext-plugin-post-req"] then %}
     lua_shared_dict ext-plugin {* http.lua_shared_dict["ext-plugin"] *}; # cache for ext-plugin
     {% end %}
diff --git a/apisix/plugins/ocsp-stapling.lua b/apisix/plugins/ocsp-stapling.lua
index d77ca2f6c6ab..bb60f7530dee 100644
--- a/apisix/plugins/ocsp-stapling.lua
+++ b/apisix/plugins/ocsp-stapling.lua
@@ -41,9 +41,8 @@ local _M = {
     priority = -44,
 }
 
-local ocsp_resp_cache = core.lrucache.new {
-    ttl = 3600, count = 1024,
-}
+local ocsp_resp_cache = ngx.shared[plugin_name]
+local cache_ttl = 3600
 
 
 function _M.check_schema(conf)
@@ -131,9 +130,12 @@ local function set_ocsp_resp(full_chain_pem_cert)
         return false, "failed to convert certificate chain from PEM to DER: ", err
     end
 
-    local ocsp_resp, err = ocsp_resp_cache(full_chain_pem_cert, nil,
-                                           get_remote_ocsp_resp, der_cert_chain)
-    if not ocsp_resp then
+    local ocsp_resp = ocsp_resp_cache:get(full_chain_pem_cert)
+    if ocsp_resp == nil then
+        ocsp_resp, err = get_remote_ocsp_resp(der_cert_chain)
+    end
+
+    if ocsp_resp == nil then
         return false, err
     end
 
@@ -141,6 +143,7 @@ local function set_ocsp_resp(full_chain_pem_cert)
     if not ok then
         return false, "failed to validate ocsp response: " .. err
     end
+    ocsp_resp_cache:set(full_chain_pem_cert, ocsp_resp, cache_ttl)
 
     -- set the OCSP stapling
     ok, err = ngx_ocsp.set_ocsp_status_resp(ocsp_resp)
diff --git a/apisix/ssl.lua b/apisix/ssl.lua
index e14c92fc3c41..ddd75a011235 100644
--- a/apisix/ssl.lua
+++ b/apisix/ssl.lua
@@ -313,4 +313,40 @@ function _M.check_ssl_conf(in_dp, conf)
 end
 
 
+function _M.get_status_request_ext(clienthello)
+
+    local byte = string.byte
+    local ext = ngx_ssl_client.get_client_hello_ext(5)
+    if not ext then
+        print("failed")
+    end
+    local total_len = string.len(ext)
+    if total_len <= 2 then
+        print("bad SSL Client Hello Extension")
+        ngx.exit(ngx.ERROR)
+    end
+    local len = byte(ext, 1) * 256 + byte(ext, 2)
+    if len + 2 ~= total_len then 
+        print("bad SSL Client Hello Extension")
+        ngx.exit(ngx.ERROR)
+    end
+    if byte(ext, 3) ~= 0 then
+        print("bad SSL Client Hello Extension")
+        ngx.exit(ngx.ERROR)
+    end
+    if total_len <= 5 then
+        print("bad SSL Client Hello Extension")
+        ngx.exit(ngx.ERROR)
+    end
+    len = byte(ext, 4) * 256 + byte(ext, 5)
+    if len + 5 > total_len then
+        print("bad SSL Client Hello Extension")
+        ngx.exit(ngx.ERROR)
+    end
+    local name = string.sub(ext, 6, 6 + len -1)
+
+    print("read SNI name from Lua: ", name)
+end
+
+
 return _M

From ae0fd6de6972fdbaa17e302170649b4ec6e05c27 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Fri, 12 Jan 2024 14:23:50 +0800
Subject: [PATCH 16/28] ctx in ssl_client_hello

---
 apisix/init.lua |  3 +++
 apisix/ssl.lua  | 52 ++++++++++++++++++++++---------------------------
 2 files changed, 26 insertions(+), 29 deletions(-)

diff --git a/apisix/init.lua b/apisix/init.lua
index c234f3bdff6e..3505d5ab0f9d 100644
--- a/apisix/init.lua
+++ b/apisix/init.lua
@@ -191,6 +191,7 @@ function _M.http_ssl_client_hello_phase()
         core.log.error("failed to find SNI: " .. (err or advise))
         ngx_exit(-1)
     end
+    local tls_ext_status_req = apisix_ssl.get_status_request_ext()
 
     local ngx_ctx = ngx.ctx
     local api_ctx = core.tablepool.fetch("api_ctx", 0, 32)
@@ -199,8 +200,10 @@ function _M.http_ssl_client_hello_phase()
     local ok, err = router.router_ssl.match_and_set(api_ctx, true, sni)
 
     ngx_ctx.matched_ssl = api_ctx.matched_ssl
+    api_ctx.tls_ext_status_req = tls_ext_status_req
     core.tablepool.release("api_ctx", api_ctx)
     ngx_ctx.api_ctx = nil
+    ngx_ctx.tls_ext_status_req = tls_ext_status_req
 
     if not ok then
         if err then
diff --git a/apisix/ssl.lua b/apisix/ssl.lua
index ddd75a011235..15bafcc575ae 100644
--- a/apisix/ssl.lua
+++ b/apisix/ssl.lua
@@ -23,6 +23,8 @@ local ngx_encode_base64 = ngx.encode_base64
 local ngx_decode_base64 = ngx.decode_base64
 local aes = require("resty.aes")
 local str_lower = string.lower
+local str_byte = string.byte
+local str_len = string.len
 local assert = assert
 local type = type
 local ipairs = ipairs
@@ -313,39 +315,31 @@ function _M.check_ssl_conf(in_dp, conf)
 end
 
 
-function _M.get_status_request_ext(clienthello)
-
-    local byte = string.byte
+function _M.get_status_request_ext()
+    core.log.debug("parsing status request extension ... ")
     local ext = ngx_ssl_client.get_client_hello_ext(5)
     if not ext then
-        print("failed")
-    end
-    local total_len = string.len(ext)
-    if total_len <= 2 then
-        print("bad SSL Client Hello Extension")
-        ngx.exit(ngx.ERROR)
-    end
-    local len = byte(ext, 1) * 256 + byte(ext, 2)
-    if len + 2 ~= total_len then 
-        print("bad SSL Client Hello Extension")
-        ngx.exit(ngx.ERROR)
-    end
-    if byte(ext, 3) ~= 0 then
-        print("bad SSL Client Hello Extension")
-        ngx.exit(ngx.ERROR)
-    end
-    if total_len <= 5 then
-        print("bad SSL Client Hello Extension")
-        ngx.exit(ngx.ERROR)
-    end
-    len = byte(ext, 4) * 256 + byte(ext, 5)
-    if len + 5 > total_len then
-        print("bad SSL Client Hello Extension")
-        ngx.exit(ngx.ERROR)
+        return false
+    end
+    local total_len = str_len(ext)
+    -- 1-byte for CertificateStatusType
+    -- 2-byte for zero-length "responder_id_list"
+    -- 2-byte for zero-length "request_extensions"
+    if total_len < 5 then
+        core.log.error("bad ssl client hello extension: ",
+                       "extension data error")
+        return false
+    end
+
+    -- CertificateStatusType
+    local status_type = str_byte(ext, 1)
+    if status_type == 1 then
+        core.log.debug("parsing status request extension ok: ",
+                       "status_type is ocsp(1)")
+        return true
     end
-    local name = string.sub(ext, 6, 6 + len -1)
 
-    print("read SNI name from Lua: ", name)
+    return false
 end
 
 

From 1423c740977c6652833fe67e9186737ada79436a Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Fri, 12 Jan 2024 15:19:28 +0800
Subject: [PATCH 17/28] RC

---
 apisix/init.lua                  |  1 -
 apisix/plugins/ocsp-stapling.lua | 35 ++++++++++++++++++++++++--------
 apisix/ssl.lua                   |  1 +
 conf/config-default.yaml         |  1 +
 4 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/apisix/init.lua b/apisix/init.lua
index 3505d5ab0f9d..9a13fae8eb2a 100644
--- a/apisix/init.lua
+++ b/apisix/init.lua
@@ -200,7 +200,6 @@ function _M.http_ssl_client_hello_phase()
     local ok, err = router.router_ssl.match_and_set(api_ctx, true, sni)
 
     ngx_ctx.matched_ssl = api_ctx.matched_ssl
-    api_ctx.tls_ext_status_req = tls_ext_status_req
     core.tablepool.release("api_ctx", api_ctx)
     ngx_ctx.api_ctx = nil
     ngx_ctx.tls_ext_status_req = tls_ext_status_req
diff --git a/apisix/plugins/ocsp-stapling.lua b/apisix/plugins/ocsp-stapling.lua
index bb60f7530dee..0859e27879b4 100644
--- a/apisix/plugins/ocsp-stapling.lua
+++ b/apisix/plugins/ocsp-stapling.lua
@@ -21,13 +21,16 @@ local require = require
 local pcall = pcall
 local get_request = require("resty.core.base").get_request
 local http = require("resty.http")
+local ngx_ctx = require("ngx.ctx")
 local ngx_ocsp = require("ngx.ocsp")
 local ngx_ssl = require("ngx.ssl")
 local radixtree_sni = require("apisix.ssl.router.radixtree_sni")
 local core = require("apisix.core")
 local apisix_ssl = require("apisix.ssl")
 
+local cache_ttl = 3600
 local plugin_name = "ocsp-stapling"
+local ocsp_resp_cache = ngx.shared[plugin_name]
 
 local plugin_schema = {
     type = "object",
@@ -41,9 +44,6 @@ local _M = {
     priority = -44,
 }
 
-local ocsp_resp_cache = ngx.shared[plugin_name]
-local cache_ttl = 3600
-
 
 function _M.check_schema(conf)
     return core.schema.check(plugin_schema, conf)
@@ -82,8 +82,9 @@ end
 
 
 local function get_remote_ocsp_resp(der_cert_chain)
+    core.log.debug("get remote ocsp resp ... ")
     local ocsp_url, err = ngx_ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
-    -- if cert not support ocsp, will not report error
+    -- if cert not support ocsp, the report error is nil
     if not err then
         err = "nil"
     end
@@ -131,7 +132,10 @@ local function set_ocsp_resp(full_chain_pem_cert)
     end
 
     local ocsp_resp = ocsp_resp_cache:get(full_chain_pem_cert)
+    local resp_from_cache = true
     if ocsp_resp == nil then
+        core.log.debug("not ocsp resp cache found, fetch from ocsp responder")
+        resp_from_cache = false
         ocsp_resp, err = get_remote_ocsp_resp(der_cert_chain)
     end
 
@@ -141,6 +145,10 @@ local function set_ocsp_resp(full_chain_pem_cert)
 
     local ok, err = ngx_ocsp.validate_ocsp_response(ocsp_resp, der_cert_chain)
     if not ok then
+        -- try delete cache
+        if resp_from_cache then
+            ocsp_resp_cache:delete(full_chain_pem_cert)
+        end
         return false, "failed to validate ocsp response: " .. err
     end
     ocsp_resp_cache:set(full_chain_pem_cert, ocsp_resp, cache_ttl)
@@ -157,7 +165,19 @@ end
 
 local original_set_cert_and_key
 local function set_cert_and_key(sni, value)
-    if not value.gm and value.ocsp_stapling then
+    if value.gm then
+        -- should not run with gm plugin
+        -- if gm plugin enabled, not run with ocsp-stapling plugin
+        core.log.info("gm plugin enabled, no need to run ocsp-stapling plugin")
+        return original_set_cert_and_key(sni, value)
+    end
+
+    if value.ocsp_stapling then
+        if not ngx_ctx.tls_ext_status_req then
+            core.log.info("no status request required, no need to send ocsp response")
+            return original_set_cert_and_key(sni, value)
+        end
+
         local ok, err = set_pem_ssl_key(sni, value.cert, value.key)
         if not ok then
             return false, err
@@ -179,14 +199,11 @@ local function set_cert_and_key(sni, value)
 
         local ok, err = set_ocsp_resp(fin_pem_cert)
         if not ok then
-            core.log.error("ocsp response will not send, error info: ", err)
+            core.log.error("no ocsp response send: ", err)
         end
 
         return true
     end
-    -- should not run with gm plugin
-    -- if gm plugin enabled, will not run ocsp-stapling plugin
-    return original_set_cert_and_key(sni, value)
 end
 
 
diff --git a/apisix/ssl.lua b/apisix/ssl.lua
index 15bafcc575ae..282f0f11b3d5 100644
--- a/apisix/ssl.lua
+++ b/apisix/ssl.lua
@@ -319,6 +319,7 @@ function _M.get_status_request_ext()
     core.log.debug("parsing status request extension ... ")
     local ext = ngx_ssl_client.get_client_hello_ext(5)
     if not ext then
+        core.log.debug("no contains status request extension")
         return false
     end
     local total_len = str_len(ext)
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
index bf9016725e22..4892b153c3b5 100755
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@@ -278,6 +278,7 @@ nginx_config:                     # Config for render the template to generate n
       ext-plugin: 1m
       tars: 1m
       cas-auth: 10m
+      ocsp-stapling: 10m
 
 # discovery:                      # Service Discovery
 #  dns:

From 91ec96980bd860bc69c794ff0d9b790606138dcb Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Fri, 12 Jan 2024 15:30:14 +0800
Subject: [PATCH 18/28] more error detail

---
 apisix/plugins/ocsp-stapling.lua | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/apisix/plugins/ocsp-stapling.lua b/apisix/plugins/ocsp-stapling.lua
index 0859e27879b4..bee115b86f2e 100644
--- a/apisix/plugins/ocsp-stapling.lua
+++ b/apisix/plugins/ocsp-stapling.lua
@@ -86,7 +86,7 @@ local function get_remote_ocsp_resp(der_cert_chain)
     local ocsp_url, err = ngx_ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
     -- if cert not support ocsp, the report error is nil
     if not err then
-        err = "nil"
+        err = "cert not cotains authority_information_access extension"
     end
 
     if not ocsp_url then
@@ -167,7 +167,6 @@ local original_set_cert_and_key
 local function set_cert_and_key(sni, value)
     if value.gm then
         -- should not run with gm plugin
-        -- if gm plugin enabled, not run with ocsp-stapling plugin
         core.log.info("gm plugin enabled, no need to run ocsp-stapling plugin")
         return original_set_cert_and_key(sni, value)
     end

From 10a833084701e2033ff27eff282d924ac930a328 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Fri, 12 Jan 2024 21:42:35 +0800
Subject: [PATCH 19/28] add ocsp test cert

---
 t/certs/ocsp/ca.crt          | 19 ++++++++++++++++++
 t/certs/ocsp/ca.key          | 27 +++++++++++++++++++++++++
 t/certs/ocsp/ecc_good.crt    | 34 +++++++++++++++++++++++++++++++
 t/certs/ocsp/ecc_good.key    |  8 ++++++++
 t/certs/ocsp/index.txt       |  4 ++++
 t/certs/ocsp/rsa_good.crt    | 38 +++++++++++++++++++++++++++++++++++
 t/certs/ocsp/rsa_good.key    | 27 +++++++++++++++++++++++++
 t/certs/ocsp/rsa_revoked.crt | 39 ++++++++++++++++++++++++++++++++++++
 t/certs/ocsp/rsa_revoked.key | 27 +++++++++++++++++++++++++
 t/certs/ocsp/rsa_unknown.crt | 39 ++++++++++++++++++++++++++++++++++++
 t/certs/ocsp/rsa_unknown.key | 27 +++++++++++++++++++++++++
 t/certs/ocsp/signer.crt      | 19 ++++++++++++++++++
 t/certs/ocsp/signer.key      | 27 +++++++++++++++++++++++++
 13 files changed, 335 insertions(+)
 create mode 100644 t/certs/ocsp/ca.crt
 create mode 100644 t/certs/ocsp/ca.key
 create mode 100644 t/certs/ocsp/ecc_good.crt
 create mode 100644 t/certs/ocsp/ecc_good.key
 create mode 100644 t/certs/ocsp/index.txt
 create mode 100644 t/certs/ocsp/rsa_good.crt
 create mode 100644 t/certs/ocsp/rsa_good.key
 create mode 100644 t/certs/ocsp/rsa_revoked.crt
 create mode 100644 t/certs/ocsp/rsa_revoked.key
 create mode 100644 t/certs/ocsp/rsa_unknown.crt
 create mode 100644 t/certs/ocsp/rsa_unknown.key
 create mode 100644 t/certs/ocsp/signer.crt
 create mode 100644 t/certs/ocsp/signer.key

diff --git a/t/certs/ocsp/ca.crt b/t/certs/ocsp/ca.crt
new file mode 100644
index 000000000000..a914cc882d99
--- /dev/null
+++ b/t/certs/ocsp/ca.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFjCCAf6gAwIBAgIUAnhMqrkvSgWhsBCMZ1JTCPcu7vMwDQYJKoZIhvcNAQEL
+BQAwPDELMAkGA1UEBhMCQ04xFjAUBgNVBAsMDUFwYWNoZSBBUElTSVgxFTATBgNV
+BAMMDG9jc3AgdGVzdCBDQTAeFw0yNDAxMTIxMjQ2MjNaFw0zNDAxMDkxMjQ2MjNa
+MDwxCzAJBgNVBAYTAkNOMRYwFAYDVQQLDA1BcGFjaGUgQVBJU0lYMRUwEwYDVQQD
+DAxvY3NwIHRlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCk
+ZQCxB1QLw53pmmuv3QrLy37owSHzPkl4+sRF4usOCLQD+hQOesjNM9NHAI4TElQT
+3Zr7q6DjAMPQQXq1yI9N79lA2OEIU4SiY5zgWeAcqMnurpDtYAL8Hw4dP5EfJQWx
+4kOolrWbyhSYyjdkdLJsvnutBKl41Pw2Wjc/+XMxapolSqoY331mr9ZT2knpPQFh
+bUnTMLy9ft5TIMXNePOL0cb9CEekjjq/YkrjbcanUsOdCuDioK6JkqXVvtRbXGsu
+igFWBu3yHu8zAelgDcqzNW2K1SRPhiXwvRYkgMfoQiaPHaAjR+yU2oe0FwgbOw2w
+RZmAhTZoPm06vwmy1UEhAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
+AQELBQADggEBACfkJIB/4tTYzB8nE1hcD0XsJodgcRiFUgGl4zi40EMpNF51at46
+DzoLqqpe7Y/F+X8Lk1wW0k+Yr5iY6VPEkRJ2Qa74kN3CBfjCfAhNnSwrIWFcDf7c
+o31ZTfDGGokhse6bu0taIQVyaei/cJXzcJpBa9a6xkH+PH9n7xY45Sy6PLfJosZ5
+vfnSOSzvCoF4cnldyQ5/M0EdsJpaMRtKgPY2T+QgE7tgVBpx3GE2L+gn0R1eChpz
+9flVo1AdDoL/GeLjveHoEHsqQKZ/f53gED5kr4qeOMmDUSyP1G8ybwG55GoH0Fyf
++Wg9hs5VVx13uUKV0j976aBDLhtlNcP/kHc=
+-----END CERTIFICATE-----
diff --git a/t/certs/ocsp/ca.key b/t/certs/ocsp/ca.key
new file mode 100644
index 000000000000..b1f98ba88178
--- /dev/null
+++ b/t/certs/ocsp/ca.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEApGUAsQdUC8Od6Zprr90Ky8t+6MEh8z5JePrEReLrDgi0A/oU
+DnrIzTPTRwCOExJUE92a+6ug4wDD0EF6tciPTe/ZQNjhCFOEomOc4FngHKjJ7q6Q
+7WAC/B8OHT+RHyUFseJDqJa1m8oUmMo3ZHSybL57rQSpeNT8Nlo3P/lzMWqaJUqq
+GN99Zq/WU9pJ6T0BYW1J0zC8vX7eUyDFzXjzi9HG/QhHpI46v2JK423Gp1LDnQrg
+4qCuiZKl1b7UW1xrLooBVgbt8h7vMwHpYA3KszVtitUkT4Yl8L0WJIDH6EImjx2g
+I0fslNqHtBcIGzsNsEWZgIU2aD5tOr8JstVBIQIDAQABAoIBAGHKd2vXaSaKWgBh
+TJfTzJ1IUxkP8ispLTmbKnBMOPkjMjp/Y7jtT0/J+W9uJBWyPHOIyq3U/aKrjM/w
+c5d5U83P1JOfr9VtISQcT3Ch5hAGVAD4tNuP1pa1voaljqVRN58Gcqrx49xljHUL
+LYJDbPQFJ7rXYByxzcpjRiR3Ng/5Xtyi8nDuGF+fnT6k/juFLT0sSz2jEjOa2FXl
+uvHKnn1bxTh7MEFJvh6/vaPglCPjWxyJtrFn0p3DsE4hEK/530rMpO23bLHwqmwp
+g5v55iRyLTkbnZMlrK+E+NAf7QUVBLaI1R+NClWHvjhugK9dBT+lKqTmw/3htLtz
+EZCyDLUCgYEAz6fuER+5NE8YeUudfYqNX+tfgPeIhZValWB4lBgZ6yKZgfSwFcGc
+NfObW2Xz8mtLhBjajxQXHhHAsKhI+DfUwcBDafhZEY2jc4lYno/lsfDDFqSFpIdY
+lP0xLZupxFpI9nvmNfDWx1LFeN8MMsWR2FHv0NR+fSGdXj2xd8k54eMCgYEAyqq9
+BXsjlareIFJuqNdORoSCk3BgRBav9SBmU0sZiv7A27jQOl4R1oLctubFNQ5tJ9Z5
+778dk3O2yNjzt5UEbQ8w/tPNzFxo25N3bUB5uBi12LhTVF8cPOxq2zd+hWPQvRwG
+edseLUxq6WNc19tpeACUo0LuZtIxETarf03jcCsCgYEAo6EWTVQMIpX5GQtmjJhz
+EpRsazmi0HCCMpcULM5ZDhnzkJ35awtnRnQxhXHvKqU1ml/jST9xf/ZJOmtBJKcJ
+9arE9GoH9XcAx3gA5uFJBFBNyjfWP3GPcceZyvCQc/MY73FuVC71b5dfmAFaoV9h
+r23RZWMsUPn+AVbn0xYzkDUCgYEAhyTvwxXoFsfIM5mEfUaFxfRa9mJ7bywJzdX7
+JhPwRoW2qU5GXIWaM4c0Eysz2jtygpw816iD2m3RN4Gkk4jlWKxGqccndt0wdyuQ
++eOCx0aDDK9tsddyhxXH88K/tcdnzJNBpkR9jQtmR5egs7h2TjVk6LGbNCl52tav
+6cZQod0CgYB6Lj2Xw4+T9zMDG5YzEHuB6W6Acv5/Cmy3aPtsaZ+/GyA+lJgdVeII
+L6ktTtBc7E+RwgK0URs3kBv12oQebrljXaO6YCwPEXxEtPAyVE7aGa/3zYH2LECZ
+20vXN/24QEN946wJXMCJCmgsy1tzdHjrBfx2NEiJyyNWLAMsQXSodQ==
+-----END RSA PRIVATE KEY-----
diff --git a/t/certs/ocsp/ecc_good.crt b/t/certs/ocsp/ecc_good.crt
new file mode 100644
index 000000000000..c29d85dcd25f
--- /dev/null
+++ b/t/certs/ocsp/ecc_good.crt
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIICYDCCAUigAwIBAgIBAjANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
+MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
+DTI0MDExMjEyNTAyNFoXDTM0MDEwOTEyNTAyNFowPTELMAkGA1UEBhMCQ04xFjAU
+BgNVBAsMDUFwYWNoZSBBUElTSVgxFjAUBgNVBAMMDW9jc3AudGVzdC5jb20wWTAT
+BgcqhkjOPQIBBggqhkjOPQMBBwNCAASLmQpqv75l+S6ha6WvaLeUm6BITckv6+VB
+k+2pIyDgFwVcGZJ9b5vxLEKfVTBfMq1mZBihZhJaNGQFwMoY5/Q+ozcwNTAzBggr
+BgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6MTE0NTEv
+MA0GCSqGSIb3DQEBCwUAA4IBAQCHGcRSEFYfCU2Jn3EvE/fzdqtFNycqaeJm4Ism
+yNYnyHA1gF1cGpTx7xo1k00LfaHB53DH7IQcMY9x8/NyZljpk+gR9ZmtWsxqTuTb
+tDWVlsyt3F6RQlq/RC3wg/8hImLO2+5hdck9gV0VtI0Gwb/cFkPEPg9X3TZ3MLm/
+Uax23sUA2d8QN1R/16lt0uua/uHSM6Cv/RNCQ8j31g6GgpdxS/k4haG4G3h3ShF/
+qruYuobz81p8OhoB+yhGKmkNyfqmz63FWVspPgd8PWEhZ0ugSse5J+DZlizyAlkI
+XKm8eYXO/4cFR2A3yxIsb2tu9s1LTMg9u4GS+xnxIwUqGMik
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfmgAwIBAgIBBTANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
+MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
+DTI0MDExMjEyNTc0NloXDTM0MDEwOTEyNTc0NlowQzELMAkGA1UEBhMCQ04xFjAU
+BgNVBAsMDUFwYWNoZSBBUElTSVgxHDAaBgNVBAMME29jc3AgdGVzdCBDQSBzaWdu
+ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC+xUOj+eNfA5Epger
+Ru0ZYXPQtq37rvsQzmSFFtrZvvusUpuJ4fvWXg2jl+XPaAUjfd1TWnirXfGQAGkY
+06CShSW00PvxCxm1JvJiEjCCq6Xm5AVqf0vlWry2GYho49xYhbSGdPkS/s9l2q0H
+J06nEdqpWFlQ0xE8x5sSYgwSfNvon/y+VX30tkWoAg1BrgH5v13MCPKSJBzUugbO
+Ey+YpOzk7l9HuWL5MAg4iIX8y5tHzGueGeCJryxXxrU0ESC5E5ba9URoqD0UAM76
+cvM6UoLseUHfehwE+oRf8ZSShwgpK8QYgVFLTF+X3cNgCOrFB4oOb9Lvm21N57DB
+fWohAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUA
+A4IBAQAZsTHO1gB9PMwQT5zH5aS64c59sgfKHuiJGLlJdMPsT9gp2kYBIJXJCz0N
+wSRcCUu6MpE+bwuXaYhNRjSegsgh1IUKhYmbwkksnixMAR3DLRJwhTZcRqui6uVb
+YfHFwaGKeiCrbu7E4cw+tAdN8+Am2p96kwD4t9vSSFmfdf0qJoiLufQbThW/TqQx
+Lnn426fkLNKqn489yvm1Aot0KTB/t73oVdFNS+qDYqaOoqYyJtKOm3yXSM2EUowp
+NTeRIpWyb8//G+zahG2fQ9t7vqS8zo9PyRqZJumUxJclPJRe++6IqXHkX+hyp+o1
+8cndoRbIYiaJw9b/bTcqqwlWDPcI
+-----END CERTIFICATE-----
diff --git a/t/certs/ocsp/ecc_good.key b/t/certs/ocsp/ecc_good.key
new file mode 100644
index 000000000000..23d09c3148ff
--- /dev/null
+++ b/t/certs/ocsp/ecc_good.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHMwGqSAcIFnsy8Sa6NxlSmGuOXV13SbZbZVIobN+3xboAoGCCqGSM49
+AwEHoUQDQgAEi5kKar++ZfkuoWulr2i3lJugSE3JL+vlQZPtqSMg4BcFXBmSfW+b
+8SxCn1UwXzKtZmQYoWYSWjRkBcDKGOf0Pg==
+-----END EC PRIVATE KEY-----
diff --git a/t/certs/ocsp/index.txt b/t/certs/ocsp/index.txt
new file mode 100644
index 000000000000..4156b28e80fc
--- /dev/null
+++ b/t/certs/ocsp/index.txt
@@ -0,0 +1,4 @@
+V	340109124821Z		1	unknown	/C=CN/OU=Apache APISIX/CN=ocsp.test.com1
+V	340109125024Z		2	unknown	/C=CN/OU=Apache APISIX/CN=ocsp.test.com2
+R	340109125151Z	240109125151Z	3	unknown	/C=CN/OU=Apache APISIX/CN=ocsp-revoked.test.com
+V	340109125746Z		5	unknown	/C=CN/OU=Apache APISIX/CN=ocsp test CA signer
diff --git a/t/certs/ocsp/rsa_good.crt b/t/certs/ocsp/rsa_good.crt
new file mode 100644
index 000000000000..ea893f565529
--- /dev/null
+++ b/t/certs/ocsp/rsa_good.crt
@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIDKzCCAhOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
+MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
+DTI0MDExMjEyNDgyMVoXDTM0MDEwOTEyNDgyMVowPTELMAkGA1UEBhMCQ04xFjAU
+BgNVBAsMDUFwYWNoZSBBUElTSVgxFjAUBgNVBAMMDW9jc3AudGVzdC5jb20wggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDz11rOQW/jrmb/A9XcUXmmWIjT
+d4EwoukLguwASqvUnLnwRYXb0+StyOkG86YRiUnrYqPQEuOs7V+Ladr1wNtFssP0
+fe63lbdZWETQkmg6lapnS6gQ3hvET5aCxwAPsKuXwiUpuA0xyj4Ddrfyj2/w+n+8
+eJpjQUO8HZcWtIuK/ZVhElhgu5mqtUpH/VuojMmMT+DoQ2jnpDGhwwN8w4o6uLTt
+dCUxxvuC+VrGeqhcX6iZq37K/bsIBs7l+JtzxGrtyqklnID6LJtr8UjiSVlI2uT0
+IultMWwjra0chfxxFgWsQSQfQmslwoRb5k61Ymms1uzrgTXKkniKC5LUKhjjAgMB
+AAGjNzA1MDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovLzEyNy4w
+LjAuMToxMTQ1MS8wDQYJKoZIhvcNAQELBQADggEBAA5j6XDBigixHYX4iWzRHwg1
+IG/NzeIzkNe/ygA5er7JDGpphQdBcnjkDoqT4hkAvAxbDTv4MPPEq6RyeWk6fgEA
+ESlsE4lpMw3DgLsVwaPSM5Ej6fcoD2pfHCciDIp2WwscwK9JgdrxTiGu2epturzP
+L/pJZIAu1HLaMmkKowDQHV/EdOsLeqbzGnye4uj8aIxS5IwiNe+0B8Lbm5PaHIGU
+Xh//XZHb5P+5JhadVxs3Y85lsaOzqOC6toJrFbydHNhEPMgRaBorpD2mAClBNOUR
+mQzfXDtIUJUDWkhoG66Gglr8NroebgSthcqu8kul3CCzCnWpiLChjC37Q/d3+MU=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfmgAwIBAgIBBTANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
+MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
+DTI0MDExMjEyNTc0NloXDTM0MDEwOTEyNTc0NlowQzELMAkGA1UEBhMCQ04xFjAU
+BgNVBAsMDUFwYWNoZSBBUElTSVgxHDAaBgNVBAMME29jc3AgdGVzdCBDQSBzaWdu
+ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC+xUOj+eNfA5Epger
+Ru0ZYXPQtq37rvsQzmSFFtrZvvusUpuJ4fvWXg2jl+XPaAUjfd1TWnirXfGQAGkY
+06CShSW00PvxCxm1JvJiEjCCq6Xm5AVqf0vlWry2GYho49xYhbSGdPkS/s9l2q0H
+J06nEdqpWFlQ0xE8x5sSYgwSfNvon/y+VX30tkWoAg1BrgH5v13MCPKSJBzUugbO
+Ey+YpOzk7l9HuWL5MAg4iIX8y5tHzGueGeCJryxXxrU0ESC5E5ba9URoqD0UAM76
+cvM6UoLseUHfehwE+oRf8ZSShwgpK8QYgVFLTF+X3cNgCOrFB4oOb9Lvm21N57DB
+fWohAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUA
+A4IBAQAZsTHO1gB9PMwQT5zH5aS64c59sgfKHuiJGLlJdMPsT9gp2kYBIJXJCz0N
+wSRcCUu6MpE+bwuXaYhNRjSegsgh1IUKhYmbwkksnixMAR3DLRJwhTZcRqui6uVb
+YfHFwaGKeiCrbu7E4cw+tAdN8+Am2p96kwD4t9vSSFmfdf0qJoiLufQbThW/TqQx
+Lnn426fkLNKqn489yvm1Aot0KTB/t73oVdFNS+qDYqaOoqYyJtKOm3yXSM2EUowp
+NTeRIpWyb8//G+zahG2fQ9t7vqS8zo9PyRqZJumUxJclPJRe++6IqXHkX+hyp+o1
+8cndoRbIYiaJw9b/bTcqqwlWDPcI
+-----END CERTIFICATE-----
diff --git a/t/certs/ocsp/rsa_good.key b/t/certs/ocsp/rsa_good.key
new file mode 100644
index 000000000000..7c2f3b5f34d8
--- /dev/null
+++ b/t/certs/ocsp/rsa_good.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA89dazkFv465m/wPV3FF5pliI03eBMKLpC4LsAEqr1Jy58EWF
+29PkrcjpBvOmEYlJ62Kj0BLjrO1fi2na9cDbRbLD9H3ut5W3WVhE0JJoOpWqZ0uo
+EN4bxE+WgscAD7Crl8IlKbgNMco+A3a38o9v8Pp/vHiaY0FDvB2XFrSLiv2VYRJY
+YLuZqrVKR/1bqIzJjE/g6ENo56QxocMDfMOKOri07XQlMcb7gvlaxnqoXF+omat+
+yv27CAbO5fibc8Rq7cqpJZyA+iyba/FI4klZSNrk9CLpbTFsI62tHIX8cRYFrEEk
+H0JrJcKEW+ZOtWJprNbs64E1ypJ4iguS1CoY4wIDAQABAoIBABV8oZzROVnX0W2h
+WeQLLewRmyT/P9wYTu7bv44bBl863Eum5K/FUT5bGOWq7LRY47GhRIweTf+7/xJa
+5peHQgs3QHs36aQ1xi1SUOYMMLEQ5S4rBYlO+SVoWfv2KzQ2vjgmPH4boNYFW0eU
+24q9RwD2IfFqszgR1TUralfu2ukJWWi1zuNN4jJZfXZWcPLV26wMAdQrGhf7CnQ7
+1QN6SFNBKxpiKIXCs7ki2VmzAVg01FpmVsHkuRvn80dZ1FkkfXXaAYqNEulisAq0
++Zv+QWXrK7IpmRpJQszr7VBGLlBrMTp9wFq+ep+Bui9e26pGXYETPnchUqtBFk5k
+yylxduECgYEA/v8cJEX/W8H2//Dl2tOq+F6RKwxX56dlrs6LBSpYh9982CXrALG4
+Xuq8VmnjYYpdVxSyxMkex+Dih06BpQMmQci3mzHPGAPzkiFSxsogQBlB1MF4RphD
+4UutZNdsmQb+l2NTGIyQR9TgLXjwKfEesia91HQGCTDPFzku/Xg0WBECgYEA9M0B
+s9sLb4DC6LDoGlSlmIfKmJgZgbwjRhUI3Foplpzzrc+A23MaYbuhwVszch7S0Tib
+OtEtJWTjryGAG5a/eCsVHtyAnJWxJiHV8yJ+xN1MTXIh9T6Xlablip8cBaHKZxLC
+vhu5ZEIyGddYa2B6hG/x1ydMoz5pdMFGjKkFNbMCgYEA55HNgLOAn1eac/vVAdDP
+pxZaRvnCqsE+em1fmqVGGL5AphppPAwpHymVN/SZZe89rONDJapvpZz4m2AUJEKj
+74HUG8A0Dd8ox0Az6AuPFibZvdik3ZdRrbwID1gDa0UK13h/8f9U16benu0BTVWH
+RsogAlwLTzVgG/r2TYFoJ8ECgYBa/u14Fp88lmddKY1NZFOdzDQh3r/0eqO+BEmj
+5xv4cWUfIbfrWvDejWmGP0lzTUPeI6WICoM2mDcOPWyqVLHdkF4sd5iTHA2aeA9Y
+bmUi9oPLcfZvfBHKvhwrGBPJgCeFgvLCyfly7CxFcMfcOiOwoRALgv842xVGIiYA
+WT+ngwKBgAk1xBsENJlEGz6aeoby6ELx3QP9cQX5GG7YtPrrl9BziRIPc5YNJZfA
+guw8rBxO72ilChrJIMfE8PZx6L4LJ+N1VTRgZ9T8F9ZGopqUtquc4OErmAYR0rH2
+ll/i9QPgHzUYm4L7kN2J/cejJnzhANnBiJbgE5wHUHsjT5sv3trO
+-----END RSA PRIVATE KEY-----
diff --git a/t/certs/ocsp/rsa_revoked.crt b/t/certs/ocsp/rsa_revoked.crt
new file mode 100644
index 000000000000..e0f0eb77fc4a
--- /dev/null
+++ b/t/certs/ocsp/rsa_revoked.crt
@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIDMzCCAhugAwIBAgIBAzANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
+MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
+DTI0MDExMjEyNTE1MVoXDTM0MDEwOTEyNTE1MVowRTELMAkGA1UEBhMCQ04xFjAU
+BgNVBAsMDUFwYWNoZSBBUElTSVgxHjAcBgNVBAMMFW9jc3AtcmV2b2tlZC50ZXN0
+LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALYwGl+ibVIY15Ma
+rTq8L6XoUud4F8UYqImPbG5JVCn5R+t3n3YuAWNCAbOyFSzKOCVG0D3uBRVhUwTA
+0jqMmhAkksOwCXmq912QgfR/m+NaxhF4ue+FjZzJkSE8Fw6+3ybwPUCL2Sta6LVF
+6jTR8G+bT9VbySYd4wkY/Zs7+dTEG/B7ZXjJ7RkkRi0sRHaNmy/7t9xcAC1eQMqo
+IOm39IDzxnOC6nNscBTtB7xeqKIi45UI5rKpCOP4xNBJQiUh7kXG6uB9ENa4gkTp
+5kqy0YknRBZwFE/3H9rEeTWSrEwMzlcCJCo4oHVI8hFDeMVm3qxrRs8MYHxuIokp
+VYbeKUUCAwEAAaM3MDUwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRw
+Oi8vMTI3LjAuMC4xOjExNDUxLzANBgkqhkiG9w0BAQsFAAOCAQEAOlT+8PgUgny3
+DgZlLEsokKVxb8oWXJkvnSS/QX59aKfbyPUgPTmtIv7QoGFUSgVQHRDPfDh0rjwy
+r7nNvl1FXfnlf/l4Bijywdj6ipG9WPUeV1cwT2x4OzAKxacTt300dPa4jfym9UTE
+YECRP+8FmOA4PApXQCfxJ7VWojQXcL3MO5Yx/OWGfOlwJnBTcv9R1M3yNACOPjin
+yD00F72Xlb6pB7tYuuhZxEqstzXduXC+IL15EXk6CR9VFLqN/ZOxIoO4cqyqWjDy
+iKUzioflnVSEzm9ZzJHe24BWG8z8bJQ8PvYRWSHNYV+eJqGfV5k96JJ4Vh0mNLfc
+B1BphTS5zg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfmgAwIBAgIBBTANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
+MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
+DTI0MDExMjEyNTc0NloXDTM0MDEwOTEyNTc0NlowQzELMAkGA1UEBhMCQ04xFjAU
+BgNVBAsMDUFwYWNoZSBBUElTSVgxHDAaBgNVBAMME29jc3AgdGVzdCBDQSBzaWdu
+ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC+xUOj+eNfA5Epger
+Ru0ZYXPQtq37rvsQzmSFFtrZvvusUpuJ4fvWXg2jl+XPaAUjfd1TWnirXfGQAGkY
+06CShSW00PvxCxm1JvJiEjCCq6Xm5AVqf0vlWry2GYho49xYhbSGdPkS/s9l2q0H
+J06nEdqpWFlQ0xE8x5sSYgwSfNvon/y+VX30tkWoAg1BrgH5v13MCPKSJBzUugbO
+Ey+YpOzk7l9HuWL5MAg4iIX8y5tHzGueGeCJryxXxrU0ESC5E5ba9URoqD0UAM76
+cvM6UoLseUHfehwE+oRf8ZSShwgpK8QYgVFLTF+X3cNgCOrFB4oOb9Lvm21N57DB
+fWohAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUA
+A4IBAQAZsTHO1gB9PMwQT5zH5aS64c59sgfKHuiJGLlJdMPsT9gp2kYBIJXJCz0N
+wSRcCUu6MpE+bwuXaYhNRjSegsgh1IUKhYmbwkksnixMAR3DLRJwhTZcRqui6uVb
+YfHFwaGKeiCrbu7E4cw+tAdN8+Am2p96kwD4t9vSSFmfdf0qJoiLufQbThW/TqQx
+Lnn426fkLNKqn489yvm1Aot0KTB/t73oVdFNS+qDYqaOoqYyJtKOm3yXSM2EUowp
+NTeRIpWyb8//G+zahG2fQ9t7vqS8zo9PyRqZJumUxJclPJRe++6IqXHkX+hyp+o1
+8cndoRbIYiaJw9b/bTcqqwlWDPcI
+-----END CERTIFICATE-----
diff --git a/t/certs/ocsp/rsa_revoked.key b/t/certs/ocsp/rsa_revoked.key
new file mode 100644
index 000000000000..1c47073cb190
--- /dev/null
+++ b/t/certs/ocsp/rsa_revoked.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAtjAaX6JtUhjXkxqtOrwvpehS53gXxRioiY9sbklUKflH63ef
+di4BY0IBs7IVLMo4JUbQPe4FFWFTBMDSOoyaECSSw7AJear3XZCB9H+b41rGEXi5
+74WNnMmRITwXDr7fJvA9QIvZK1rotUXqNNHwb5tP1VvJJh3jCRj9mzv51MQb8Htl
+eMntGSRGLSxEdo2bL/u33FwALV5Ayqgg6bf0gPPGc4Lqc2xwFO0HvF6ooiLjlQjm
+sqkI4/jE0ElCJSHuRcbq4H0Q1riCROnmSrLRiSdEFnAUT/cf2sR5NZKsTAzOVwIk
+KjigdUjyEUN4xWberGtGzwxgfG4iiSlVht4pRQIDAQABAoIBAQCQ5Sz0hl/ffTZm
+Hj9LiUNz9ZOJ1+8/p97SmKiqBdPUFhfm45qFCQ29fU+RNL62gpWov+r6dgTA/khi
+bWBFhHE7CXtX+vduNlTJqxZP9/VpGlaQqq1mG5eG7KBqCDpmVdNwSnzMiuzLGGAf
+W11raNSKTsFtdLRDhl18bM212jtVxNHVJ6itFZa5Ls0/VrD2KH9PXP0J5jugKYqi
+GzHmt9RfmjhOPcAIOTYNP/5n1CiHERj5KytfXjN1BHWc3rx5uakaUntBkdevXWj+
+ZSspRi/ReuVCXWeldmi6Pg9hQSX3MGVndAx8J6ilmtqSrRvaCBRU6x9KLfuTVEz8
+UXap8UkBAoGBAOkjowQb/nWI5oqDs3SduXwVE+0yn8kBCk5x48ee1Vt0eCxtnuRs
+qdPuldh6czsBj3ijmJ8Ny6aHQaaVuIlUbPjBDZGf7IVc0hj7sQ6o5Jcu9KmLLOBH
+62fQDeuzM+EkGOcnH8aPvs31p5bMklhycyyyTXvmZba3hvST+Ske/3olAoGBAMgN
+dtFrvAQoZMIV61kNTml3ehhUeWas/ry0WUHa4iaDnVMoJ0fwiMKk7kQDvJH8gxx3
+Cr7dSnI17yBYEn0HkXlTMq0IgjJp+K40temMFwMFOWrTtGUVcbibv1Yjx+8i7m2+
+pWnfGXGd6tolWRHAMe7B68q+x1iJEjQD/Ujx3XihAoGACJg3uj8N8mdJmHGie/oU
+jG56fZQQL+jJ6HpqW0GPu/9fLsQbx2/6EsYI4CIjfVlhYKEnTzXC/DCgSvPaCbYD
+DmiPh37NyVzSofklXdT8GFayzk1DKkF8fCc/XCEPGI2sHVlj4n4KGq2jr/t6qagO
+dudb0+V6enHpl7qcxNdPs8ECgYBYM8+CUAzKjIC4Le/hCIPc7kePuJb6FSYPTzjX
+V0lEj9zqkBaZmkzB/PPsWvVmLD4ma7n6Ixkyt+LhkNM9+vtB0dPTBKBa1+xD6ouW
+GCUBOOly1zp/IvBL46d9tDLvlagoDNljj3DpbiXg3nyh3epmCWwLrQe5Wl4DPwsK
+gVETYQKBgDvVy2JvG51tmrqg3bEkJ+8RWELK3DeJphVmlD+unkA6ONwJTB8gvDIE
+mkrxulta1cgg+u3+oJ1Pbo6P19v6xOj9vr1NHmHTd6shpfx8cHVbOYo7tBX0zKcv
+cPlhtyGb3LUmaHXc22qI3ooYAKUo6r0bsK6ixBQEQUyxxHOt2fz7
+-----END RSA PRIVATE KEY-----
diff --git a/t/certs/ocsp/rsa_unknown.crt b/t/certs/ocsp/rsa_unknown.crt
new file mode 100644
index 000000000000..dc222c425b7a
--- /dev/null
+++ b/t/certs/ocsp/rsa_unknown.crt
@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIDMzCCAhugAwIBAgIBBDANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
+MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
+DTI0MDExMjEyNTM0OFoXDTM0MDEwOTEyNTM0OFowRTELMAkGA1UEBhMCQ04xFjAU
+BgNVBAsMDUFwYWNoZSBBUElTSVgxHjAcBgNVBAMMFW9jc3AtdW5rbm93bi50ZXN0
+LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbh5sGRYVZoz4TU
+ZkLWcA6VWugXrF+mOpgSZJ0FUWTeduQHPbrKenBgYmGPtojVd0+RHAtMk4CYayit
+Ds9VgxAGEh9yN08DGJhXceK/3LmhxLMV2YIJBhz2lZsxTl/cEn6wfv0xEQcjuBSI
+mNf6U2v7w1svHDWFGDKmc3iauds6bV0pNZ41YI0PaSSMmZkzAA6n6XPzk3YhvJF1
+26wJzLjGMjRMQw3E3enibUZpLPlY4PeSGzPMfBP4Z/kKV0Qm9TY+hY+w9Lfcgtv2
+0FXQSTZAMYxKH7gm6Udz5/6fNmPOMjroTkb3V5gVpu0XITn++93MWreEfiNQ3nNx
+lPL6UAMCAwEAAaM3MDUwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRw
+Oi8vMTI3LjAuMC4xOjExNDUxLzANBgkqhkiG9w0BAQsFAAOCAQEAQ3EtDW6zbzco
+Zcs5M2oaw7oRC9nDs3ilNTssedq4JOnOb48dlYaDq79aChHPDcfuSJ78rG3xJy8a
+Cpgwat+Qjp+JTeB7Ku+jdjY19aocxRl8yDB+MvQKbGEOFxL9LElh8SwvhbprihC8
+NvaBJb/tDkKkIgGoR/FU5tRRi13U69Lo0SkkD22cPw+Y5p70gHEREvhIkmuBDqGq
+eNgjnOm/0SUq/6NarPHxRtmZUPioVRzaLd8qd8LQhW8/NllXKwFCNsnujByPlNoy
+g72tUTAR5P1yAPKiZ0ngIjKIzYcv6ZGUR0gMIn86N8bnVB84e3rJuBYN0/DVFqZO
+9PrWQeSqIg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfmgAwIBAgIBBTANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
+MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
+DTI0MDExMjEyNTc0NloXDTM0MDEwOTEyNTc0NlowQzELMAkGA1UEBhMCQ04xFjAU
+BgNVBAsMDUFwYWNoZSBBUElTSVgxHDAaBgNVBAMME29jc3AgdGVzdCBDQSBzaWdu
+ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC+xUOj+eNfA5Epger
+Ru0ZYXPQtq37rvsQzmSFFtrZvvusUpuJ4fvWXg2jl+XPaAUjfd1TWnirXfGQAGkY
+06CShSW00PvxCxm1JvJiEjCCq6Xm5AVqf0vlWry2GYho49xYhbSGdPkS/s9l2q0H
+J06nEdqpWFlQ0xE8x5sSYgwSfNvon/y+VX30tkWoAg1BrgH5v13MCPKSJBzUugbO
+Ey+YpOzk7l9HuWL5MAg4iIX8y5tHzGueGeCJryxXxrU0ESC5E5ba9URoqD0UAM76
+cvM6UoLseUHfehwE+oRf8ZSShwgpK8QYgVFLTF+X3cNgCOrFB4oOb9Lvm21N57DB
+fWohAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUA
+A4IBAQAZsTHO1gB9PMwQT5zH5aS64c59sgfKHuiJGLlJdMPsT9gp2kYBIJXJCz0N
+wSRcCUu6MpE+bwuXaYhNRjSegsgh1IUKhYmbwkksnixMAR3DLRJwhTZcRqui6uVb
+YfHFwaGKeiCrbu7E4cw+tAdN8+Am2p96kwD4t9vSSFmfdf0qJoiLufQbThW/TqQx
+Lnn426fkLNKqn489yvm1Aot0KTB/t73oVdFNS+qDYqaOoqYyJtKOm3yXSM2EUowp
+NTeRIpWyb8//G+zahG2fQ9t7vqS8zo9PyRqZJumUxJclPJRe++6IqXHkX+hyp+o1
+8cndoRbIYiaJw9b/bTcqqwlWDPcI
+-----END CERTIFICATE-----
diff --git a/t/certs/ocsp/rsa_unknown.key b/t/certs/ocsp/rsa_unknown.key
new file mode 100644
index 000000000000..d1d7df105f33
--- /dev/null
+++ b/t/certs/ocsp/rsa_unknown.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEApuHmwZFhVmjPhNRmQtZwDpVa6BesX6Y6mBJknQVRZN525Ac9
+usp6cGBiYY+2iNV3T5EcC0yTgJhrKK0Oz1WDEAYSH3I3TwMYmFdx4r/cuaHEsxXZ
+ggkGHPaVmzFOX9wSfrB+/TERByO4FIiY1/pTa/vDWy8cNYUYMqZzeJq52zptXSk1
+njVgjQ9pJIyZmTMADqfpc/OTdiG8kXXbrAnMuMYyNExDDcTd6eJtRmks+Vjg95Ib
+M8x8E/hn+QpXRCb1Nj6Fj7D0t9yC2/bQVdBJNkAxjEofuCbpR3Pn/p82Y84yOuhO
+RvdXmBWm7RchOf773cxat4R+I1Dec3GU8vpQAwIDAQABAoIBAGVK6siFGKLdPVBv
+p55cEGoZp7MGY38vI5OYXm+cgboK+fkQmBxfuA+rwStckrvdbezitDX7hfBhE3H+
+EOYyDjpUpP1nU0DnLS+SrDKoqC4YjY7x7TLrjUVZOpeXRu4SYzt4n6vI83/040+7
+VaKKc8Ywa3RWVPX7UiO0OpRyverdQgXKxaIKukO8v1IhMQ5cshvLStFpJSLlN+Cy
+2BO3uGSth7dLHG/OIz8SoGp/m5ofpBUny5FAb2EWZM/eGP/VZN2hVrYfbx5d3dVs
+8AtuboH/LRCbh9IE0P5mOIZFc4r1VodozkGP83fMYiEP61pyEVDvTFcvZizJRN6h
+LDNlm/kCgYEA0FdQvOjKjpogUHBJkYrH9yuSlFIwzqp+I1ZsPBUORt/czfOQapf4
+HjFtUj6JvqZW3xn7rPiwTnXys9x6KP5xzjbia6or7dL/D1q7bk0oKvqhVF1LiQ2X
+545a3zErLpkMmH9fSVVyTC4x+hIfN0PlrhXh0mH2urT2+K3v7j/4408CgYEAzQ64
+tzs1zVGdIgRmiQV0eP9qoB7y3vmcxZq0NKjNyoMbXhuo3muGY33AzCY6qSdFLigI
+8LLZms/7o5VYp9ckaYPnuYwABzXrxN4fz1vSAe0y64X8i7P09W+pB8uh07nJVTpJ
+rSC+E4fNgvnvnaVp30G0gRj29OmxMrWQt8gvqw0CgYB88mCxastQCo8mrrDwYFLc
+oX0fBsvOpeFQQBxZTCdrygYaXeBWjR14vhvaHzds50ViN6sAaYUTCRmtVKTOwQpv
+qerQtxXxY4EkLD4MQKm+XOE0P191qnlXncBR6qMDJzaunnT+/ge2OF4wo32lH0s3
+xFfSXH4kKzOSoH4sXKFfcQKBgHeB8+9+B54wyYZQ0D1dO4NlQIwvXVbMXSzhO9NQ
+6hbzkBipwCJYwkrruFiCkz+QToZW+NbnNWE/g6XT3YZ8IZGJOZzu1fld2Jm05w8f
+sWZECqAvR39YExSTzgxoBllx9r/AJ75Jzd1uET0bUyYqiGiAT6XJmewk4ovuO3iQ
+qA9lAoGBAKKmSj69vgldBUuLQx5AGOb5ivIou8M4f6yJBKkU/fSuUjxy5EVvAOTe
+YYtZVcNymzSdk8SXEg9krCK6QHDa/H6M8bLu/aJHk6pXwPFRWPG2TyQcYDg/ItlV
+FK6rvRA+dxwFMi5p1TwZIE4gVkqExSWD77jgxfA8wfbSh2B/BCNi
+-----END RSA PRIVATE KEY-----
diff --git a/t/certs/ocsp/signer.crt b/t/certs/ocsp/signer.crt
new file mode 100644
index 000000000000..b85bd0a52eaa
--- /dev/null
+++ b/t/certs/ocsp/signer.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfmgAwIBAgIBBTANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
+MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
+DTI0MDExMjEyNTc0NloXDTM0MDEwOTEyNTc0NlowQzELMAkGA1UEBhMCQ04xFjAU
+BgNVBAsMDUFwYWNoZSBBUElTSVgxHDAaBgNVBAMME29jc3AgdGVzdCBDQSBzaWdu
+ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC+xUOj+eNfA5Epger
+Ru0ZYXPQtq37rvsQzmSFFtrZvvusUpuJ4fvWXg2jl+XPaAUjfd1TWnirXfGQAGkY
+06CShSW00PvxCxm1JvJiEjCCq6Xm5AVqf0vlWry2GYho49xYhbSGdPkS/s9l2q0H
+J06nEdqpWFlQ0xE8x5sSYgwSfNvon/y+VX30tkWoAg1BrgH5v13MCPKSJBzUugbO
+Ey+YpOzk7l9HuWL5MAg4iIX8y5tHzGueGeCJryxXxrU0ESC5E5ba9URoqD0UAM76
+cvM6UoLseUHfehwE+oRf8ZSShwgpK8QYgVFLTF+X3cNgCOrFB4oOb9Lvm21N57DB
+fWohAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUA
+A4IBAQAZsTHO1gB9PMwQT5zH5aS64c59sgfKHuiJGLlJdMPsT9gp2kYBIJXJCz0N
+wSRcCUu6MpE+bwuXaYhNRjSegsgh1IUKhYmbwkksnixMAR3DLRJwhTZcRqui6uVb
+YfHFwaGKeiCrbu7E4cw+tAdN8+Am2p96kwD4t9vSSFmfdf0qJoiLufQbThW/TqQx
+Lnn426fkLNKqn489yvm1Aot0KTB/t73oVdFNS+qDYqaOoqYyJtKOm3yXSM2EUowp
+NTeRIpWyb8//G+zahG2fQ9t7vqS8zo9PyRqZJumUxJclPJRe++6IqXHkX+hyp+o1
+8cndoRbIYiaJw9b/bTcqqwlWDPcI
+-----END CERTIFICATE-----
diff --git a/t/certs/ocsp/signer.key b/t/certs/ocsp/signer.key
new file mode 100644
index 000000000000..c95f012d455c
--- /dev/null
+++ b/t/certs/ocsp/signer.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAwvsVDo/njXwORKYHq0btGWFz0Lat+677EM5khRba2b77rFKb
+ieH71l4No5flz2gFI33dU1p4q13xkABpGNOgkoUltND78QsZtSbyYhIwgqul5uQF
+an9L5Vq8thmIaOPcWIW0hnT5Ev7PZdqtBydOpxHaqVhZUNMRPMebEmIMEnzb6J/8
+vlV99LZFqAINQa4B+b9dzAjykiQc1LoGzhMvmKTs5O5fR7li+TAIOIiF/MubR8xr
+nhngia8sV8a1NBEguROW2vVEaKg9FADO+nLzOlKC7HlB33ocBPqEX/GUkocIKSvE
+GIFRS0xfl93DYAjqxQeKDm/S75ttTeewwX1qIQIDAQABAoIBAF5EUBDjSBriYG+W
+Kd0IBHeh4wGEYKdvGNkuP/EMdLCTok/U/Hf0NvKUNFnkhWn6K4nWP1weQHrxh2mM
+mUM0hcxw7SL3audF657mfoclrihu3l273lZ3xvTTIquTupyjlZOCyR28jfM+GH1w
+9Piha2hgvGvlWAE4mnvdMT75AkcpGEDvKrJec3Kkq7DfnW/AotVc8yJG0Q2JwkRJ
+y0ITJBWkA+WtLscqRyp4tvSAtAByBdynuMpEskIrOOC7WtxLJD+JJtzO7H31irC1
+ON3x4czwiVKbVjxworoD5R/2Gy7JKK+pou0TNTcFrFm/+mU0Ig3VkcZTlDSTWJio
+4D3CinECgYEA62fnLuxVOP9X/lgkKjN/xtTMqcDHOXz/1tyMewj6jRzFWu42b8k1
+ECDtzx1Aug8cqsA7pUvBxeC7DzyZmo3zybHRsUf9mQzUA7WK7RN4SK0O4FOZ6PbZ
+1116aZqwIiYpMhXL5syC+5yVWEJkbtClMciCbDlp5Y/+PISHl24assUCgYEA1AnU
+AsDKWysYoVqePfBoLDaep+5Q9VQr8T9AyXlvrqtpmLiBZR8Oh4iOGDJmFSsQOQWP
+peYIuf9eTXh6DH0BhIr/wSbhleiS/ibuOPEUosnwUzC64rkcgXzofbKOyHig5o8y
+45XGUzVSJQPBQM3fVEyuGV1vZKZ/2CVhnFBl360CgYBP1bMPtNLKO77J4XaSYVjK
+Q80NHPXzxzK02aNC7q6aQNGlnvgTPTejuqcsAI29C/b66arQyjpzM139Mt4dDltJ
+Yebtqq6Uw0b74wu0j0/Rxe8voOqnmWATq/4h5nYpfqul8sJuCZm6X0Y+4nVRJ61+
+jrO8pFQHqKfeOkwJzSt8yQKBgGCNAR8nznzpCNQgQUIPAEBxtpjdKbwsUb4OgV+8
+jiBJKVJDYZg8Jg+NHLbj7BvjegWdBKYUMxEOuVApddnN6i0CZib7n2j1eEmGTJ9d
+F3pw3Z/j5pVqmRJVYEAsWFvsoceamR+MibxF4Vu9c/ggRntKV1RxeVGphzlS/DmD
+WoAZAoGBAL9bHijnEzrijuWa1M9LV1eTCQyr0bihL86Z4pEI+B2NX5lWpcOQi8IU
+W4wbN02e8g2u9DGgm6yg2eNbkVg4XWuaXUV7a3fGwnmtuWnxGhU/37Lrcou34bsM
+3TvP055+kATwZ98X2MzvAUDIKdO9k+/s41H33frdJQgwCH5ArWGp
+-----END RSA PRIVATE KEY-----

From f376abb5cfb2a58273201009c18378a82975eb6c Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Sun, 14 Jan 2024 21:03:03 +0800
Subject: [PATCH 20/28] done

---
 apisix/plugins/ocsp-stapling.lua |  83 +++---
 t/APISIX.pm                      |   1 +
 t/certs/ocsp/ca.crt              |  19 --
 t/certs/ocsp/ca.key              |  27 --
 t/certs/ocsp/ecc_good.crt        |  71 ++---
 t/certs/ocsp/rsa_good.crt        |  80 +++---
 t/certs/ocsp/rsa_revoked.crt     |  81 +++---
 t/certs/ocsp/rsa_unknown.crt     |  81 +++---
 t/certs/ocsp/signer.crt          |  37 +--
 t/plugin/ocsp-stapling.t         | 448 ++++++++++++++++++++++++-------
 10 files changed, 607 insertions(+), 321 deletions(-)
 delete mode 100644 t/certs/ocsp/ca.crt
 delete mode 100644 t/certs/ocsp/ca.key

diff --git a/apisix/plugins/ocsp-stapling.lua b/apisix/plugins/ocsp-stapling.lua
index bee115b86f2e..f4dab9db5fba 100644
--- a/apisix/plugins/ocsp-stapling.lua
+++ b/apisix/plugins/ocsp-stapling.lua
@@ -18,17 +18,16 @@
 --
 
 local require = require
-local pcall = pcall
 local get_request = require("resty.core.base").get_request
 local http = require("resty.http")
-local ngx_ctx = require("ngx.ctx")
+local ngx = ngx
 local ngx_ocsp = require("ngx.ocsp")
 local ngx_ssl = require("ngx.ssl")
 local radixtree_sni = require("apisix.ssl.router.radixtree_sni")
 local core = require("apisix.core")
 local apisix_ssl = require("apisix.ssl")
+local plugin = require("apisix.plugin")
 
-local cache_ttl = 3600
 local plugin_name = "ocsp-stapling"
 local ocsp_resp_cache = ngx.shared[plugin_name]
 
@@ -81,15 +80,15 @@ local function set_pem_ssl_key(sni, cert, pkey)
 end
 
 
-local function get_remote_ocsp_resp(der_cert_chain)
-    core.log.debug("get remote ocsp resp ... ")
+local function fetch_ocsp_resp(der_cert_chain)
+    core.log.info("fetch ocsp response from remote")
     local ocsp_url, err = ngx_ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
-    -- if cert not support ocsp, the report error is nil
-    if not err then
-        err = "cert not cotains authority_information_access extension"
-    end
 
     if not ocsp_url then
+        -- if cert not support ocsp, the report error is nil
+        if not err then
+            err = "cert not contains authority_information_access extension"
+        end
         return nil, "failed to get ocsp url: " .. err
     end
 
@@ -125,37 +124,33 @@ local function get_remote_ocsp_resp(der_cert_chain)
 end
 
 
-local function set_ocsp_resp(full_chain_pem_cert)
+local function set_ocsp_resp(full_chain_pem_cert, skip_verify, cache_ttl)
     local der_cert_chain, err = ngx_ssl.cert_pem_to_der(full_chain_pem_cert)
     if not der_cert_chain then
         return false, "failed to convert certificate chain from PEM to DER: ", err
     end
 
-    local ocsp_resp = ocsp_resp_cache:get(full_chain_pem_cert)
-    local resp_from_cache = true
-    if ocsp_resp == nil then
-        core.log.debug("not ocsp resp cache found, fetch from ocsp responder")
-        resp_from_cache = false
-        ocsp_resp, err = get_remote_ocsp_resp(der_cert_chain)
-    end
-
+    local ocsp_resp = ocsp_resp_cache:get(der_cert_chain)
     if ocsp_resp == nil then
-        return false, err
+        core.log.info("not ocsp resp cache found, fetch from ocsp responder")
+        ocsp_resp, err = fetch_ocsp_resp(der_cert_chain)
+        if ocsp_resp == nil then
+            return false, err
+        end
+        core.log.info("fetch ocsp resp ok, cache it")
+        ocsp_resp_cache:set(der_cert_chain, ocsp_resp, cache_ttl)
     end
 
-    local ok, err = ngx_ocsp.validate_ocsp_response(ocsp_resp, der_cert_chain)
-    if not ok then
-        -- try delete cache
-        if resp_from_cache then
-            ocsp_resp_cache:delete(full_chain_pem_cert)
+    if not skip_verify then
+        local ok, err = ngx_ocsp.validate_ocsp_response(ocsp_resp, der_cert_chain)
+        if not ok then
+            return false, "failed to validate ocsp response: " .. err
         end
-        return false, "failed to validate ocsp response: " .. err
     end
-    ocsp_resp_cache:set(full_chain_pem_cert, ocsp_resp, cache_ttl)
 
     -- set the OCSP stapling
     ok, err = ngx_ocsp.set_ocsp_status_resp(ocsp_resp)
-    if not ok or err ~= nil then
+    if not ok then
         return false, "failed to set ocsp status response: " .. err
     end
 
@@ -171,8 +166,13 @@ local function set_cert_and_key(sni, value)
         return original_set_cert_and_key(sni, value)
     end
 
-    if value.ocsp_stapling then
-        if not ngx_ctx.tls_ext_status_req then
+    if not value.ocsp_stapling then
+        core.log.info("no 'ocsp_stapling' field found, no need to run ocsp-stapling plugin")
+        return original_set_cert_and_key(sni, value)
+    end
+
+    if value.ocsp_stapling.enabled then
+        if not ngx.ctx.tls_ext_status_req then
             core.log.info("no status request required, no need to send ocsp response")
             return original_set_cert_and_key(sni, value)
         end
@@ -196,13 +196,17 @@ local function set_cert_and_key(sni, value)
             end
         end
 
-        local ok, err = set_ocsp_resp(fin_pem_cert)
+        local ok, err = set_ocsp_resp(fin_pem_cert,
+                                      value.ocsp_stapling.skip_verify,
+                                      value.ocsp_stapling.cache_ttl)
         if not ok then
             core.log.error("no ocsp response send: ", err)
         end
 
         return true
     end
+
+    return original_set_cert_and_key(sni, value)
 end
 
 
@@ -219,14 +223,31 @@ function _M.init()
     end
 
     core.schema.ssl.properties.ocsp_stapling = {
-        type = "boolean"
+        type = "object",
+        properties = {
+            enabled = {
+                type = "boolean",
+                default = false,
+            },
+            skip_verify = {
+                type = "boolean",
+                default = false,
+            },
+            cache_ttl = {
+                type = "integer",
+                minimum = 60,
+                default = 3600,
+            },
+        }
     }
+
 end
 
 
 function _M.destroy()
     radixtree_sni.set_cert_and_key = original_set_cert_and_key
     core.schema.ssl.properties.ocsp_stapling = nil
+    ocsp_resp_cache:flush_all()
 end
 
 
diff --git a/t/APISIX.pm b/t/APISIX.pm
index 161c40feb986..6428de1c510d 100644
--- a/t/APISIX.pm
+++ b/t/APISIX.pm
@@ -571,6 +571,7 @@ _EOC_
     lua_shared_dict kubernetes-first 1m;
     lua_shared_dict kubernetes-second 1m;
     lua_shared_dict tars 1m;
+    lua_shared_dict ocsp-stapling 10m;
     lua_shared_dict xds-config 1m;
     lua_shared_dict xds-config-version 1m;
     lua_shared_dict cas_sessions 10m;
diff --git a/t/certs/ocsp/ca.crt b/t/certs/ocsp/ca.crt
deleted file mode 100644
index a914cc882d99..000000000000
--- a/t/certs/ocsp/ca.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDFjCCAf6gAwIBAgIUAnhMqrkvSgWhsBCMZ1JTCPcu7vMwDQYJKoZIhvcNAQEL
-BQAwPDELMAkGA1UEBhMCQ04xFjAUBgNVBAsMDUFwYWNoZSBBUElTSVgxFTATBgNV
-BAMMDG9jc3AgdGVzdCBDQTAeFw0yNDAxMTIxMjQ2MjNaFw0zNDAxMDkxMjQ2MjNa
-MDwxCzAJBgNVBAYTAkNOMRYwFAYDVQQLDA1BcGFjaGUgQVBJU0lYMRUwEwYDVQQD
-DAxvY3NwIHRlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCk
-ZQCxB1QLw53pmmuv3QrLy37owSHzPkl4+sRF4usOCLQD+hQOesjNM9NHAI4TElQT
-3Zr7q6DjAMPQQXq1yI9N79lA2OEIU4SiY5zgWeAcqMnurpDtYAL8Hw4dP5EfJQWx
-4kOolrWbyhSYyjdkdLJsvnutBKl41Pw2Wjc/+XMxapolSqoY331mr9ZT2knpPQFh
-bUnTMLy9ft5TIMXNePOL0cb9CEekjjq/YkrjbcanUsOdCuDioK6JkqXVvtRbXGsu
-igFWBu3yHu8zAelgDcqzNW2K1SRPhiXwvRYkgMfoQiaPHaAjR+yU2oe0FwgbOw2w
-RZmAhTZoPm06vwmy1UEhAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
-AQELBQADggEBACfkJIB/4tTYzB8nE1hcD0XsJodgcRiFUgGl4zi40EMpNF51at46
-DzoLqqpe7Y/F+X8Lk1wW0k+Yr5iY6VPEkRJ2Qa74kN3CBfjCfAhNnSwrIWFcDf7c
-o31ZTfDGGokhse6bu0taIQVyaei/cJXzcJpBa9a6xkH+PH9n7xY45Sy6PLfJosZ5
-vfnSOSzvCoF4cnldyQ5/M0EdsJpaMRtKgPY2T+QgE7tgVBpx3GE2L+gn0R1eChpz
-9flVo1AdDoL/GeLjveHoEHsqQKZ/f53gED5kr4qeOMmDUSyP1G8ybwG55GoH0Fyf
-+Wg9hs5VVx13uUKV0j976aBDLhtlNcP/kHc=
------END CERTIFICATE-----
diff --git a/t/certs/ocsp/ca.key b/t/certs/ocsp/ca.key
deleted file mode 100644
index b1f98ba88178..000000000000
--- a/t/certs/ocsp/ca.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEApGUAsQdUC8Od6Zprr90Ky8t+6MEh8z5JePrEReLrDgi0A/oU
-DnrIzTPTRwCOExJUE92a+6ug4wDD0EF6tciPTe/ZQNjhCFOEomOc4FngHKjJ7q6Q
-7WAC/B8OHT+RHyUFseJDqJa1m8oUmMo3ZHSybL57rQSpeNT8Nlo3P/lzMWqaJUqq
-GN99Zq/WU9pJ6T0BYW1J0zC8vX7eUyDFzXjzi9HG/QhHpI46v2JK423Gp1LDnQrg
-4qCuiZKl1b7UW1xrLooBVgbt8h7vMwHpYA3KszVtitUkT4Yl8L0WJIDH6EImjx2g
-I0fslNqHtBcIGzsNsEWZgIU2aD5tOr8JstVBIQIDAQABAoIBAGHKd2vXaSaKWgBh
-TJfTzJ1IUxkP8ispLTmbKnBMOPkjMjp/Y7jtT0/J+W9uJBWyPHOIyq3U/aKrjM/w
-c5d5U83P1JOfr9VtISQcT3Ch5hAGVAD4tNuP1pa1voaljqVRN58Gcqrx49xljHUL
-LYJDbPQFJ7rXYByxzcpjRiR3Ng/5Xtyi8nDuGF+fnT6k/juFLT0sSz2jEjOa2FXl
-uvHKnn1bxTh7MEFJvh6/vaPglCPjWxyJtrFn0p3DsE4hEK/530rMpO23bLHwqmwp
-g5v55iRyLTkbnZMlrK+E+NAf7QUVBLaI1R+NClWHvjhugK9dBT+lKqTmw/3htLtz
-EZCyDLUCgYEAz6fuER+5NE8YeUudfYqNX+tfgPeIhZValWB4lBgZ6yKZgfSwFcGc
-NfObW2Xz8mtLhBjajxQXHhHAsKhI+DfUwcBDafhZEY2jc4lYno/lsfDDFqSFpIdY
-lP0xLZupxFpI9nvmNfDWx1LFeN8MMsWR2FHv0NR+fSGdXj2xd8k54eMCgYEAyqq9
-BXsjlareIFJuqNdORoSCk3BgRBav9SBmU0sZiv7A27jQOl4R1oLctubFNQ5tJ9Z5
-778dk3O2yNjzt5UEbQ8w/tPNzFxo25N3bUB5uBi12LhTVF8cPOxq2zd+hWPQvRwG
-edseLUxq6WNc19tpeACUo0LuZtIxETarf03jcCsCgYEAo6EWTVQMIpX5GQtmjJhz
-EpRsazmi0HCCMpcULM5ZDhnzkJ35awtnRnQxhXHvKqU1ml/jST9xf/ZJOmtBJKcJ
-9arE9GoH9XcAx3gA5uFJBFBNyjfWP3GPcceZyvCQc/MY73FuVC71b5dfmAFaoV9h
-r23RZWMsUPn+AVbn0xYzkDUCgYEAhyTvwxXoFsfIM5mEfUaFxfRa9mJ7bywJzdX7
-JhPwRoW2qU5GXIWaM4c0Eysz2jtygpw816iD2m3RN4Gkk4jlWKxGqccndt0wdyuQ
-+eOCx0aDDK9tsddyhxXH88K/tcdnzJNBpkR9jQtmR5egs7h2TjVk6LGbNCl52tav
-6cZQod0CgYB6Lj2Xw4+T9zMDG5YzEHuB6W6Acv5/Cmy3aPtsaZ+/GyA+lJgdVeII
-L6ktTtBc7E+RwgK0URs3kBv12oQebrljXaO6YCwPEXxEtPAyVE7aGa/3zYH2LECZ
-20vXN/24QEN946wJXMCJCmgsy1tzdHjrBfx2NEiJyyNWLAMsQXSodQ==
------END RSA PRIVATE KEY-----
diff --git a/t/certs/ocsp/ecc_good.crt b/t/certs/ocsp/ecc_good.crt
index c29d85dcd25f..da1b9c091c80 100644
--- a/t/certs/ocsp/ecc_good.crt
+++ b/t/certs/ocsp/ecc_good.crt
@@ -1,34 +1,45 @@
 -----BEGIN CERTIFICATE-----
-MIICYDCCAUigAwIBAgIBAjANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
-MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
-DTI0MDExMjEyNTAyNFoXDTM0MDEwOTEyNTAyNFowPTELMAkGA1UEBhMCQ04xFjAU
-BgNVBAsMDUFwYWNoZSBBUElTSVgxFjAUBgNVBAMMDW9jc3AudGVzdC5jb20wWTAT
-BgcqhkjOPQIBBggqhkjOPQMBBwNCAASLmQpqv75l+S6ha6WvaLeUm6BITckv6+VB
-k+2pIyDgFwVcGZJ9b5vxLEKfVTBfMq1mZBihZhJaNGQFwMoY5/Q+ozcwNTAzBggr
-BgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6MTE0NTEv
-MA0GCSqGSIb3DQEBCwUAA4IBAQCHGcRSEFYfCU2Jn3EvE/fzdqtFNycqaeJm4Ism
-yNYnyHA1gF1cGpTx7xo1k00LfaHB53DH7IQcMY9x8/NyZljpk+gR9ZmtWsxqTuTb
-tDWVlsyt3F6RQlq/RC3wg/8hImLO2+5hdck9gV0VtI0Gwb/cFkPEPg9X3TZ3MLm/
-Uax23sUA2d8QN1R/16lt0uua/uHSM6Cv/RNCQ8j31g6GgpdxS/k4haG4G3h3ShF/
-qruYuobz81p8OhoB+yhGKmkNyfqmz63FWVspPgd8PWEhZ0ugSse5J+DZlizyAlkI
-XKm8eYXO/4cFR2A3yxIsb2tu9s1LTMg9u4GS+xnxIwUqGMik
+MIIC+jCCAWKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDTjES
+MBAGA1UECAwJR3VhbmdEb25nMQ8wDQYDVQQHDAZaaHVIYWkxDzANBgNVBAoMBmly
+ZXN0eTERMA8GA1UEAwwIdGVzdC5jb20wHhcNMjQwMTEyMTQ1OTUwWhcNMzQwMTA5
+MTQ1OTUwWjA9MQswCQYDVQQGEwJDTjEWMBQGA1UECwwNQXBhY2hlIEFQSVNJWDEW
+MBQGA1UEAwwNb2NzcC50ZXN0LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BIuZCmq/vmX5LqFrpa9ot5SboEhNyS/r5UGT7akjIOAXBVwZkn1vm/EsQp9VMF8y
+rWZkGKFmElo0ZAXAyhjn9D6jNzA1MDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcw
+AYYXaHR0cDovLzEyNy4wLjAuMToxMTQ1MS8wDQYJKoZIhvcNAQELBQADggGBAIEm
+LKKS+eGBazPpSRvq2agnqmjM+PHVWRB/O/+LNOO69Lji3wRtq6T2zNHPZQXw1OMA
+3C9HcIwaawTyb+hm+vX8yBr5mgS1UOtmDYzbnlpERjJBjxmPXTZLDbzogHshbabp
+227p/IAjWm/2F2VPXjiX+aV1pYrhCcO7zUtBEu9KaoG3Amxg8T2WVamTV+J6r0SL
+fkvYItZwbawSfwQlZ+22H4Mttu/bd2USTusT4zLAflv9UFh20bA1PizvcKK1brWS
+IH2rxxSLCvu2wmrGsrLVn+9yD6xNsn4m6DyCWx9S/Tas7KLub8BjnCzP8YEvrVpV
+fotefEMY5h0waj9Zc32l+6gk8Ntyp2ozWi+iu4eo0Y5SUqHlPjuGUXOivp5o/6b0
+gF5M9jtkXvbH2ffrOiz9YUo4fVwk6ws5OQTr9WsildEHZH4ADOW6HqPYkOnuxhdM
+p6JP0LmnO/S60/k/ZH8nMTcSUfE+qcDg3LlH5ay2fv6IKz5BaVkyHPNreRi9qg==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDETCCAfmgAwIBAgIBBTANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
-MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
-DTI0MDExMjEyNTc0NloXDTM0MDEwOTEyNTc0NlowQzELMAkGA1UEBhMCQ04xFjAU
-BgNVBAsMDUFwYWNoZSBBUElTSVgxHDAaBgNVBAMME29jc3AgdGVzdCBDQSBzaWdu
-ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC+xUOj+eNfA5Epger
-Ru0ZYXPQtq37rvsQzmSFFtrZvvusUpuJ4fvWXg2jl+XPaAUjfd1TWnirXfGQAGkY
-06CShSW00PvxCxm1JvJiEjCCq6Xm5AVqf0vlWry2GYho49xYhbSGdPkS/s9l2q0H
-J06nEdqpWFlQ0xE8x5sSYgwSfNvon/y+VX30tkWoAg1BrgH5v13MCPKSJBzUugbO
-Ey+YpOzk7l9HuWL5MAg4iIX8y5tHzGueGeCJryxXxrU0ESC5E5ba9URoqD0UAM76
-cvM6UoLseUHfehwE+oRf8ZSShwgpK8QYgVFLTF+X3cNgCOrFB4oOb9Lvm21N57DB
-fWohAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUA
-A4IBAQAZsTHO1gB9PMwQT5zH5aS64c59sgfKHuiJGLlJdMPsT9gp2kYBIJXJCz0N
-wSRcCUu6MpE+bwuXaYhNRjSegsgh1IUKhYmbwkksnixMAR3DLRJwhTZcRqui6uVb
-YfHFwaGKeiCrbu7E4cw+tAdN8+Am2p96kwD4t9vSSFmfdf0qJoiLufQbThW/TqQx
-Lnn426fkLNKqn489yvm1Aot0KTB/t73oVdFNS+qDYqaOoqYyJtKOm3yXSM2EUowp
-NTeRIpWyb8//G+zahG2fQ9t7vqS8zo9PyRqZJumUxJclPJRe++6IqXHkX+hyp+o1
-8cndoRbIYiaJw9b/bTcqqwlWDPcI
+MIIEojCCAwqgAwIBAgIJAK253pMhgCkxMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
+BAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxDzANBgNVBAcMBlpodUhhaTEPMA0G
+A1UECgwGaXJlc3R5MREwDwYDVQQDDAh0ZXN0LmNvbTAgFw0xOTA2MjQyMjE4MDVa
+GA8yMTE5MDUzMTIyMTgwNVowVjELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5n
+RG9uZzEPMA0GA1UEBwwGWmh1SGFpMQ8wDQYDVQQKDAZpcmVzdHkxETAPBgNVBAMM
+CHRlc3QuY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAyCM0rqJe
+cvgnCfOw4fATotPwk5Ba0gC2YvIrO+gSbQkyxXF5jhZB3W6BkWUWR4oNFLLSqcVb
+VDPitz/Mt46Mo8amuS6zTbQetGnBARzPLtmVhJfoeLj0efMiOepOSZflj9Ob4yKR
+2bGdEFOdHPjm+4ggXU9jMKeLqdVvxll/JiVFBW5smPtW1Oc/BV5terhscJdOgmRr
+abf9xiIis9/qVYfyGn52u9452V0owUuwP7nZ01jt6iMWEGeQU6mwPENgvj1olji2
+WjdG2UwpUVp3jp3l7j1ekQ6mI0F7yI+LeHzfUwiyVt1TmtMWn1ztk6FfLRqwJWR/
+Evm95vnfS3Le4S2ky3XAgn2UnCMyej3wDN6qHR1onpRVeXhrBajbCRDRBMwaNw/1
+/3Uvza8QKK10PzQR6OcQ0xo9psMkd9j9ts/dTuo2fzaqpIfyUbPST4GdqNG9NyIh
+/B9g26/0EWcjyO7mYVkaycrtLMaXm1u9jyRmcQQI1cGrGwyXbrieNp63AgMBAAGj
+cTBvMB0GA1UdDgQWBBSZtSvV8mBwl0bpkvFtgyiOUUcbszAfBgNVHSMEGDAWgBSZ
+tSvV8mBwl0bpkvFtgyiOUUcbszAMBgNVHRMEBTADAQH/MB8GA1UdEQQYMBaCCHRl
+c3QuY29tggoqLnRlc3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBgQAHGEul/x7ViVgC
+tC8CbXEslYEkj1XVr2Y4hXZXAXKd3W7V3TC8rqWWBbr6L/tsSVFt126V5WyRmOaY
+1A5pju8VhnkhYxYfZALQxJN2tZPFVeME9iGJ9BE1wPtpMgITX8Rt9kbNlENfAgOl
+PYzrUZN1YUQjX+X8t8/1VkSmyZysr6ngJ46/M8F16gfYXc9zFj846Z9VST0zCKob
+rJs3GtHOkS9zGGldqKKCj+Awl0jvTstI4qtS1ED92tcnJh5j/SSXCAB5FgnpKZWy
+hme45nBQj86rJ8FhN+/aQ9H9/2Ib6Q4wbpaIvf4lQdLUEcWAeZGW6Rk0JURwEog1
+7/mMgkapDglgeFx9f/XztSTrkHTaX4Obr+nYrZ2V4KOB4llZnK5GeNjDrOOJDk2y
+IJFgBOZJWyS93dQfuKEj42hA79MuX64lMSCVQSjX+ipR289GQZqFrIhiJxLyA+Ve
+U/OOcSRr39Kuis/JJ+DkgHYa/PWHZhnJQBxcqXXk1bJGw9BNbhM=
 -----END CERTIFICATE-----
diff --git a/t/certs/ocsp/rsa_good.crt b/t/certs/ocsp/rsa_good.crt
index ea893f565529..9f31e55af8b9 100644
--- a/t/certs/ocsp/rsa_good.crt
+++ b/t/certs/ocsp/rsa_good.crt
@@ -1,38 +1,50 @@
 -----BEGIN CERTIFICATE-----
-MIIDKzCCAhOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
-MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
-DTI0MDExMjEyNDgyMVoXDTM0MDEwOTEyNDgyMVowPTELMAkGA1UEBhMCQ04xFjAU
-BgNVBAsMDUFwYWNoZSBBUElTSVgxFjAUBgNVBAMMDW9jc3AudGVzdC5jb20wggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDz11rOQW/jrmb/A9XcUXmmWIjT
-d4EwoukLguwASqvUnLnwRYXb0+StyOkG86YRiUnrYqPQEuOs7V+Ladr1wNtFssP0
-fe63lbdZWETQkmg6lapnS6gQ3hvET5aCxwAPsKuXwiUpuA0xyj4Ddrfyj2/w+n+8
-eJpjQUO8HZcWtIuK/ZVhElhgu5mqtUpH/VuojMmMT+DoQ2jnpDGhwwN8w4o6uLTt
-dCUxxvuC+VrGeqhcX6iZq37K/bsIBs7l+JtzxGrtyqklnID6LJtr8UjiSVlI2uT0
-IultMWwjra0chfxxFgWsQSQfQmslwoRb5k61Ymms1uzrgTXKkniKC5LUKhjjAgMB
-AAGjNzA1MDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovLzEyNy4w
-LjAuMToxMTQ1MS8wDQYJKoZIhvcNAQELBQADggEBAA5j6XDBigixHYX4iWzRHwg1
-IG/NzeIzkNe/ygA5er7JDGpphQdBcnjkDoqT4hkAvAxbDTv4MPPEq6RyeWk6fgEA
-ESlsE4lpMw3DgLsVwaPSM5Ej6fcoD2pfHCciDIp2WwscwK9JgdrxTiGu2epturzP
-L/pJZIAu1HLaMmkKowDQHV/EdOsLeqbzGnye4uj8aIxS5IwiNe+0B8Lbm5PaHIGU
-Xh//XZHb5P+5JhadVxs3Y85lsaOzqOC6toJrFbydHNhEPMgRaBorpD2mAClBNOUR
-mQzfXDtIUJUDWkhoG66Gglr8NroebgSthcqu8kul3CCzCnWpiLChjC37Q/d3+MU=
+MIIDxTCCAi2gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDTjES
+MBAGA1UECAwJR3VhbmdEb25nMQ8wDQYDVQQHDAZaaHVIYWkxDzANBgNVBAoMBmly
+ZXN0eTERMA8GA1UEAwwIdGVzdC5jb20wHhcNMjQwMTEyMTQ1OTA4WhcNMzQwMTA5
+MTQ1OTA4WjA9MQswCQYDVQQGEwJDTjEWMBQGA1UECwwNQXBhY2hlIEFQSVNJWDEW
+MBQGA1UEAwwNb2NzcC50ZXN0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAPPXWs5Bb+OuZv8D1dxReaZYiNN3gTCi6QuC7ABKq9ScufBFhdvT5K3I
+6QbzphGJSetio9AS46ztX4tp2vXA20Wyw/R97reVt1lYRNCSaDqVqmdLqBDeG8RP
+loLHAA+wq5fCJSm4DTHKPgN2t/KPb/D6f7x4mmNBQ7wdlxa0i4r9lWESWGC7maq1
+Skf9W6iMyYxP4OhDaOekMaHDA3zDijq4tO10JTHG+4L5WsZ6qFxfqJmrfsr9uwgG
+zuX4m3PEau3KqSWcgPosm2vxSOJJWUja5PQi6W0xbCOtrRyF/HEWBaxBJB9CayXC
+hFvmTrViaazW7OuBNcqSeIoLktQqGOMCAwEAAaM3MDUwMwYIKwYBBQUHAQEEJzAl
+MCMGCCsGAQUFBzABhhdodHRwOi8vMTI3LjAuMC4xOjExNDUxLzANBgkqhkiG9w0B
+AQsFAAOCAYEAkHi0FLFQbPANUxXIIYjR0dVt5xb0SoAet0TxAAzoJaO1v7jrXok+
+DBZu9dOftDIX5jB8vne7JSKCl1ibpsYqpOW9AjFjUTtKkirXcsKQKs+sW1Vue0uu
+xPx1IAbI475X8emIB3vH5S/eqe8ep31pJkFxoiWSafKB9gpXzpD6NEteLr6oK67F
+bdIZHEdxIuiu1SQEeN8ShSoIWcVkWavsP5ziXhi+PxK4CKYQoHyFoBFWk7SXhCCA
+mKhnvcOjR9Cq/ZtkAe/G31x9nYQ6blJejRDxHOqgK+eke9+8qPx2oTLwraodPRVv
+0O5NpI0SQw8+5KcWpz/vq0NZFHh0SqSh82/IJvgxSab51VLdU2lxNxsllTNpDN9F
+LtXT5SRgRy/gXs6bOq6tszHTNE7t6hlCGlWfaRNUHfRsdyOfim0JwOpusmE0yR7R
+v6jYCk8LyJM+1oppp71cUtzrMxWEn/bC0M9TQuwb9fHFgEFU1VWjJrcaSfFGf61m
+uzgYQtn5uERq
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDETCCAfmgAwIBAgIBBTANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
-MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
-DTI0MDExMjEyNTc0NloXDTM0MDEwOTEyNTc0NlowQzELMAkGA1UEBhMCQ04xFjAU
-BgNVBAsMDUFwYWNoZSBBUElTSVgxHDAaBgNVBAMME29jc3AgdGVzdCBDQSBzaWdu
-ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC+xUOj+eNfA5Epger
-Ru0ZYXPQtq37rvsQzmSFFtrZvvusUpuJ4fvWXg2jl+XPaAUjfd1TWnirXfGQAGkY
-06CShSW00PvxCxm1JvJiEjCCq6Xm5AVqf0vlWry2GYho49xYhbSGdPkS/s9l2q0H
-J06nEdqpWFlQ0xE8x5sSYgwSfNvon/y+VX30tkWoAg1BrgH5v13MCPKSJBzUugbO
-Ey+YpOzk7l9HuWL5MAg4iIX8y5tHzGueGeCJryxXxrU0ESC5E5ba9URoqD0UAM76
-cvM6UoLseUHfehwE+oRf8ZSShwgpK8QYgVFLTF+X3cNgCOrFB4oOb9Lvm21N57DB
-fWohAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUA
-A4IBAQAZsTHO1gB9PMwQT5zH5aS64c59sgfKHuiJGLlJdMPsT9gp2kYBIJXJCz0N
-wSRcCUu6MpE+bwuXaYhNRjSegsgh1IUKhYmbwkksnixMAR3DLRJwhTZcRqui6uVb
-YfHFwaGKeiCrbu7E4cw+tAdN8+Am2p96kwD4t9vSSFmfdf0qJoiLufQbThW/TqQx
-Lnn426fkLNKqn489yvm1Aot0KTB/t73oVdFNS+qDYqaOoqYyJtKOm3yXSM2EUowp
-NTeRIpWyb8//G+zahG2fQ9t7vqS8zo9PyRqZJumUxJclPJRe++6IqXHkX+hyp+o1
-8cndoRbIYiaJw9b/bTcqqwlWDPcI
+MIIEojCCAwqgAwIBAgIJAK253pMhgCkxMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
+BAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxDzANBgNVBAcMBlpodUhhaTEPMA0G
+A1UECgwGaXJlc3R5MREwDwYDVQQDDAh0ZXN0LmNvbTAgFw0xOTA2MjQyMjE4MDVa
+GA8yMTE5MDUzMTIyMTgwNVowVjELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5n
+RG9uZzEPMA0GA1UEBwwGWmh1SGFpMQ8wDQYDVQQKDAZpcmVzdHkxETAPBgNVBAMM
+CHRlc3QuY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAyCM0rqJe
+cvgnCfOw4fATotPwk5Ba0gC2YvIrO+gSbQkyxXF5jhZB3W6BkWUWR4oNFLLSqcVb
+VDPitz/Mt46Mo8amuS6zTbQetGnBARzPLtmVhJfoeLj0efMiOepOSZflj9Ob4yKR
+2bGdEFOdHPjm+4ggXU9jMKeLqdVvxll/JiVFBW5smPtW1Oc/BV5terhscJdOgmRr
+abf9xiIis9/qVYfyGn52u9452V0owUuwP7nZ01jt6iMWEGeQU6mwPENgvj1olji2
+WjdG2UwpUVp3jp3l7j1ekQ6mI0F7yI+LeHzfUwiyVt1TmtMWn1ztk6FfLRqwJWR/
+Evm95vnfS3Le4S2ky3XAgn2UnCMyej3wDN6qHR1onpRVeXhrBajbCRDRBMwaNw/1
+/3Uvza8QKK10PzQR6OcQ0xo9psMkd9j9ts/dTuo2fzaqpIfyUbPST4GdqNG9NyIh
+/B9g26/0EWcjyO7mYVkaycrtLMaXm1u9jyRmcQQI1cGrGwyXbrieNp63AgMBAAGj
+cTBvMB0GA1UdDgQWBBSZtSvV8mBwl0bpkvFtgyiOUUcbszAfBgNVHSMEGDAWgBSZ
+tSvV8mBwl0bpkvFtgyiOUUcbszAMBgNVHRMEBTADAQH/MB8GA1UdEQQYMBaCCHRl
+c3QuY29tggoqLnRlc3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBgQAHGEul/x7ViVgC
+tC8CbXEslYEkj1XVr2Y4hXZXAXKd3W7V3TC8rqWWBbr6L/tsSVFt126V5WyRmOaY
+1A5pju8VhnkhYxYfZALQxJN2tZPFVeME9iGJ9BE1wPtpMgITX8Rt9kbNlENfAgOl
+PYzrUZN1YUQjX+X8t8/1VkSmyZysr6ngJ46/M8F16gfYXc9zFj846Z9VST0zCKob
+rJs3GtHOkS9zGGldqKKCj+Awl0jvTstI4qtS1ED92tcnJh5j/SSXCAB5FgnpKZWy
+hme45nBQj86rJ8FhN+/aQ9H9/2Ib6Q4wbpaIvf4lQdLUEcWAeZGW6Rk0JURwEog1
+7/mMgkapDglgeFx9f/XztSTrkHTaX4Obr+nYrZ2V4KOB4llZnK5GeNjDrOOJDk2y
+IJFgBOZJWyS93dQfuKEj42hA79MuX64lMSCVQSjX+ipR289GQZqFrIhiJxLyA+Ve
+U/OOcSRr39Kuis/JJ+DkgHYa/PWHZhnJQBxcqXXk1bJGw9BNbhM=
 -----END CERTIFICATE-----
diff --git a/t/certs/ocsp/rsa_revoked.crt b/t/certs/ocsp/rsa_revoked.crt
index e0f0eb77fc4a..72ef51dfa5b6 100644
--- a/t/certs/ocsp/rsa_revoked.crt
+++ b/t/certs/ocsp/rsa_revoked.crt
@@ -1,39 +1,50 @@
 -----BEGIN CERTIFICATE-----
-MIIDMzCCAhugAwIBAgIBAzANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
-MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
-DTI0MDExMjEyNTE1MVoXDTM0MDEwOTEyNTE1MVowRTELMAkGA1UEBhMCQ04xFjAU
-BgNVBAsMDUFwYWNoZSBBUElTSVgxHjAcBgNVBAMMFW9jc3AtcmV2b2tlZC50ZXN0
-LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALYwGl+ibVIY15Ma
-rTq8L6XoUud4F8UYqImPbG5JVCn5R+t3n3YuAWNCAbOyFSzKOCVG0D3uBRVhUwTA
-0jqMmhAkksOwCXmq912QgfR/m+NaxhF4ue+FjZzJkSE8Fw6+3ybwPUCL2Sta6LVF
-6jTR8G+bT9VbySYd4wkY/Zs7+dTEG/B7ZXjJ7RkkRi0sRHaNmy/7t9xcAC1eQMqo
-IOm39IDzxnOC6nNscBTtB7xeqKIi45UI5rKpCOP4xNBJQiUh7kXG6uB9ENa4gkTp
-5kqy0YknRBZwFE/3H9rEeTWSrEwMzlcCJCo4oHVI8hFDeMVm3qxrRs8MYHxuIokp
-VYbeKUUCAwEAAaM3MDUwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRw
-Oi8vMTI3LjAuMC4xOjExNDUxLzANBgkqhkiG9w0BAQsFAAOCAQEAOlT+8PgUgny3
-DgZlLEsokKVxb8oWXJkvnSS/QX59aKfbyPUgPTmtIv7QoGFUSgVQHRDPfDh0rjwy
-r7nNvl1FXfnlf/l4Bijywdj6ipG9WPUeV1cwT2x4OzAKxacTt300dPa4jfym9UTE
-YECRP+8FmOA4PApXQCfxJ7VWojQXcL3MO5Yx/OWGfOlwJnBTcv9R1M3yNACOPjin
-yD00F72Xlb6pB7tYuuhZxEqstzXduXC+IL15EXk6CR9VFLqN/ZOxIoO4cqyqWjDy
-iKUzioflnVSEzm9ZzJHe24BWG8z8bJQ8PvYRWSHNYV+eJqGfV5k96JJ4Vh0mNLfc
-B1BphTS5zg==
+MIIDzTCCAjWgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDTjES
+MBAGA1UECAwJR3VhbmdEb25nMQ8wDQYDVQQHDAZaaHVIYWkxDzANBgNVBAoMBmly
+ZXN0eTERMA8GA1UEAwwIdGVzdC5jb20wHhcNMjQwMTEyMTUwMDA5WhcNMzQwMTA5
+MTUwMDA5WjBFMQswCQYDVQQGEwJDTjEWMBQGA1UECwwNQXBhY2hlIEFQSVNJWDEe
+MBwGA1UEAwwVb2NzcC1yZXZva2VkLnRlc3QuY29tMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAtjAaX6JtUhjXkxqtOrwvpehS53gXxRioiY9sbklUKflH
+63efdi4BY0IBs7IVLMo4JUbQPe4FFWFTBMDSOoyaECSSw7AJear3XZCB9H+b41rG
+EXi574WNnMmRITwXDr7fJvA9QIvZK1rotUXqNNHwb5tP1VvJJh3jCRj9mzv51MQb
+8HtleMntGSRGLSxEdo2bL/u33FwALV5Ayqgg6bf0gPPGc4Lqc2xwFO0HvF6ooiLj
+lQjmsqkI4/jE0ElCJSHuRcbq4H0Q1riCROnmSrLRiSdEFnAUT/cf2sR5NZKsTAzO
+VwIkKjigdUjyEUN4xWberGtGzwxgfG4iiSlVht4pRQIDAQABozcwNTAzBggrBgEF
+BQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6MTE0NTEvMA0G
+CSqGSIb3DQEBCwUAA4IBgQBBbfOcWr20MQLWjijsOPiQGWa6Z+z8qMkgSB1Ukhqj
+qhuYA/bVcMcftqCCcjeAW4fgN+xBuLnHwS+iIdCjUSV8kbN19KGJNR27kDI/ShgY
+HiFNqEjDOq46jo/CMJap3VO4ZdvH8+3Dk3KuOCNBej/Oe3XD5Aw4jedHxHgfGWqt
+FD3nA+lZOvUVe7qgSkOOPtWsyX3xx7cvWziXHFd6TUWhSfcRIORO0ZHMF80ipNgd
+KgUe7t2pOuIN8sOx98j2MHNMFQVEPZ+EweznVOvWVqbGzW5wf3pUz/Vbb+uCR1LQ
+otNEEbENAEEZQ6sKpZ0pe2xuuHT+KOQ20Ty79Fs2ji9R4maiD0NTaVy2/oqYrs3G
+OFA7OrPSJ+HYKCq9QP6Cu/wY5kiG328SeoHNaXGltzCxvqE3DZNzevKh9s88SBjL
+pZ1hHUH++Co3pCss+ZPDjkWUFnbg7v8altE37ksdYMXOjY1OStHUzfZ4uYeC9orx
+Gm5X8AE3zIgpNdiANrO/ook=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDETCCAfmgAwIBAgIBBTANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
-MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
-DTI0MDExMjEyNTc0NloXDTM0MDEwOTEyNTc0NlowQzELMAkGA1UEBhMCQ04xFjAU
-BgNVBAsMDUFwYWNoZSBBUElTSVgxHDAaBgNVBAMME29jc3AgdGVzdCBDQSBzaWdu
-ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC+xUOj+eNfA5Epger
-Ru0ZYXPQtq37rvsQzmSFFtrZvvusUpuJ4fvWXg2jl+XPaAUjfd1TWnirXfGQAGkY
-06CShSW00PvxCxm1JvJiEjCCq6Xm5AVqf0vlWry2GYho49xYhbSGdPkS/s9l2q0H
-J06nEdqpWFlQ0xE8x5sSYgwSfNvon/y+VX30tkWoAg1BrgH5v13MCPKSJBzUugbO
-Ey+YpOzk7l9HuWL5MAg4iIX8y5tHzGueGeCJryxXxrU0ESC5E5ba9URoqD0UAM76
-cvM6UoLseUHfehwE+oRf8ZSShwgpK8QYgVFLTF+X3cNgCOrFB4oOb9Lvm21N57DB
-fWohAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUA
-A4IBAQAZsTHO1gB9PMwQT5zH5aS64c59sgfKHuiJGLlJdMPsT9gp2kYBIJXJCz0N
-wSRcCUu6MpE+bwuXaYhNRjSegsgh1IUKhYmbwkksnixMAR3DLRJwhTZcRqui6uVb
-YfHFwaGKeiCrbu7E4cw+tAdN8+Am2p96kwD4t9vSSFmfdf0qJoiLufQbThW/TqQx
-Lnn426fkLNKqn489yvm1Aot0KTB/t73oVdFNS+qDYqaOoqYyJtKOm3yXSM2EUowp
-NTeRIpWyb8//G+zahG2fQ9t7vqS8zo9PyRqZJumUxJclPJRe++6IqXHkX+hyp+o1
-8cndoRbIYiaJw9b/bTcqqwlWDPcI
+MIIEojCCAwqgAwIBAgIJAK253pMhgCkxMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
+BAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxDzANBgNVBAcMBlpodUhhaTEPMA0G
+A1UECgwGaXJlc3R5MREwDwYDVQQDDAh0ZXN0LmNvbTAgFw0xOTA2MjQyMjE4MDVa
+GA8yMTE5MDUzMTIyMTgwNVowVjELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5n
+RG9uZzEPMA0GA1UEBwwGWmh1SGFpMQ8wDQYDVQQKDAZpcmVzdHkxETAPBgNVBAMM
+CHRlc3QuY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAyCM0rqJe
+cvgnCfOw4fATotPwk5Ba0gC2YvIrO+gSbQkyxXF5jhZB3W6BkWUWR4oNFLLSqcVb
+VDPitz/Mt46Mo8amuS6zTbQetGnBARzPLtmVhJfoeLj0efMiOepOSZflj9Ob4yKR
+2bGdEFOdHPjm+4ggXU9jMKeLqdVvxll/JiVFBW5smPtW1Oc/BV5terhscJdOgmRr
+abf9xiIis9/qVYfyGn52u9452V0owUuwP7nZ01jt6iMWEGeQU6mwPENgvj1olji2
+WjdG2UwpUVp3jp3l7j1ekQ6mI0F7yI+LeHzfUwiyVt1TmtMWn1ztk6FfLRqwJWR/
+Evm95vnfS3Le4S2ky3XAgn2UnCMyej3wDN6qHR1onpRVeXhrBajbCRDRBMwaNw/1
+/3Uvza8QKK10PzQR6OcQ0xo9psMkd9j9ts/dTuo2fzaqpIfyUbPST4GdqNG9NyIh
+/B9g26/0EWcjyO7mYVkaycrtLMaXm1u9jyRmcQQI1cGrGwyXbrieNp63AgMBAAGj
+cTBvMB0GA1UdDgQWBBSZtSvV8mBwl0bpkvFtgyiOUUcbszAfBgNVHSMEGDAWgBSZ
+tSvV8mBwl0bpkvFtgyiOUUcbszAMBgNVHRMEBTADAQH/MB8GA1UdEQQYMBaCCHRl
+c3QuY29tggoqLnRlc3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBgQAHGEul/x7ViVgC
+tC8CbXEslYEkj1XVr2Y4hXZXAXKd3W7V3TC8rqWWBbr6L/tsSVFt126V5WyRmOaY
+1A5pju8VhnkhYxYfZALQxJN2tZPFVeME9iGJ9BE1wPtpMgITX8Rt9kbNlENfAgOl
+PYzrUZN1YUQjX+X8t8/1VkSmyZysr6ngJ46/M8F16gfYXc9zFj846Z9VST0zCKob
+rJs3GtHOkS9zGGldqKKCj+Awl0jvTstI4qtS1ED92tcnJh5j/SSXCAB5FgnpKZWy
+hme45nBQj86rJ8FhN+/aQ9H9/2Ib6Q4wbpaIvf4lQdLUEcWAeZGW6Rk0JURwEog1
+7/mMgkapDglgeFx9f/XztSTrkHTaX4Obr+nYrZ2V4KOB4llZnK5GeNjDrOOJDk2y
+IJFgBOZJWyS93dQfuKEj42hA79MuX64lMSCVQSjX+ipR289GQZqFrIhiJxLyA+Ve
+U/OOcSRr39Kuis/JJ+DkgHYa/PWHZhnJQBxcqXXk1bJGw9BNbhM=
 -----END CERTIFICATE-----
diff --git a/t/certs/ocsp/rsa_unknown.crt b/t/certs/ocsp/rsa_unknown.crt
index dc222c425b7a..d9b6a82d77b0 100644
--- a/t/certs/ocsp/rsa_unknown.crt
+++ b/t/certs/ocsp/rsa_unknown.crt
@@ -1,39 +1,50 @@
 -----BEGIN CERTIFICATE-----
-MIIDMzCCAhugAwIBAgIBBDANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
-MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
-DTI0MDExMjEyNTM0OFoXDTM0MDEwOTEyNTM0OFowRTELMAkGA1UEBhMCQ04xFjAU
-BgNVBAsMDUFwYWNoZSBBUElTSVgxHjAcBgNVBAMMFW9jc3AtdW5rbm93bi50ZXN0
-LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbh5sGRYVZoz4TU
-ZkLWcA6VWugXrF+mOpgSZJ0FUWTeduQHPbrKenBgYmGPtojVd0+RHAtMk4CYayit
-Ds9VgxAGEh9yN08DGJhXceK/3LmhxLMV2YIJBhz2lZsxTl/cEn6wfv0xEQcjuBSI
-mNf6U2v7w1svHDWFGDKmc3iauds6bV0pNZ41YI0PaSSMmZkzAA6n6XPzk3YhvJF1
-26wJzLjGMjRMQw3E3enibUZpLPlY4PeSGzPMfBP4Z/kKV0Qm9TY+hY+w9Lfcgtv2
-0FXQSTZAMYxKH7gm6Udz5/6fNmPOMjroTkb3V5gVpu0XITn++93MWreEfiNQ3nNx
-lPL6UAMCAwEAAaM3MDUwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRw
-Oi8vMTI3LjAuMC4xOjExNDUxLzANBgkqhkiG9w0BAQsFAAOCAQEAQ3EtDW6zbzco
-Zcs5M2oaw7oRC9nDs3ilNTssedq4JOnOb48dlYaDq79aChHPDcfuSJ78rG3xJy8a
-Cpgwat+Qjp+JTeB7Ku+jdjY19aocxRl8yDB+MvQKbGEOFxL9LElh8SwvhbprihC8
-NvaBJb/tDkKkIgGoR/FU5tRRi13U69Lo0SkkD22cPw+Y5p70gHEREvhIkmuBDqGq
-eNgjnOm/0SUq/6NarPHxRtmZUPioVRzaLd8qd8LQhW8/NllXKwFCNsnujByPlNoy
-g72tUTAR5P1yAPKiZ0ngIjKIzYcv6ZGUR0gMIn86N8bnVB84e3rJuBYN0/DVFqZO
-9PrWQeSqIg==
+MIIDzTCCAjWgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDTjES
+MBAGA1UECAwJR3VhbmdEb25nMQ8wDQYDVQQHDAZaaHVIYWkxDzANBgNVBAoMBmly
+ZXN0eTERMA8GA1UEAwwIdGVzdC5jb20wHhcNMjQwMTEyMTUwMDM0WhcNMzQwMTA5
+MTUwMDM0WjBFMQswCQYDVQQGEwJDTjEWMBQGA1UECwwNQXBhY2hlIEFQSVNJWDEe
+MBwGA1UEAwwVb2NzcC11bmtub3duLnRlc3QuY29tMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEApuHmwZFhVmjPhNRmQtZwDpVa6BesX6Y6mBJknQVRZN52
+5Ac9usp6cGBiYY+2iNV3T5EcC0yTgJhrKK0Oz1WDEAYSH3I3TwMYmFdx4r/cuaHE
+sxXZggkGHPaVmzFOX9wSfrB+/TERByO4FIiY1/pTa/vDWy8cNYUYMqZzeJq52zpt
+XSk1njVgjQ9pJIyZmTMADqfpc/OTdiG8kXXbrAnMuMYyNExDDcTd6eJtRmks+Vjg
+95IbM8x8E/hn+QpXRCb1Nj6Fj7D0t9yC2/bQVdBJNkAxjEofuCbpR3Pn/p82Y84y
+OuhORvdXmBWm7RchOf773cxat4R+I1Dec3GU8vpQAwIDAQABozcwNTAzBggrBgEF
+BQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6MTE0NTEvMA0G
+CSqGSIb3DQEBCwUAA4IBgQBSK6ACelC4GVbyyaN8QKwtzOkQJtbn5lMyo6YmgqAD
+00vyrjPIc5GbuA69Jinu9mty3AMMn+UFqudWHfLXGSAl0M1LUWrxg0Qa6llEB+Kh
+f6EmDNciWUK7kijuraqPxVxB4G8ZebS+SjaeptgqIW54fMQMOOzmG9DldOvIc5FF
+ZMzHYNP5QTHaeGki9KxZmfxt89lTYi6ZvViW7mjpxSbecY5H2DTFWIKD7P8seHVZ
+Jp4laPyAWDA157zpIvyK/zTNqnE+85ZJ2c0MrVWFXwL/7InViHASZriIOaOUBs/g
+pE6RTrwpU9JhjmdYtv39SgdLAInoaxmoPeNZmr4tefLrXwn9oRHnk6RInQNSffam
+vxNxD/ZKNPDZwf40ybWH5JG/SyrQr0UJAT3PWlKxHwbAz/4f6z0E/byR5nJrdFSh
+dLTbfJZ5h0vaBrcBeg/NXSvW7znJWtX3NBiUq3Ns3gAJ1y8usKKWwbCsbKzUl9j4
+NoG6Jv5toAlmtCmhVuUkX5g=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDETCCAfmgAwIBAgIBBTANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
-MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
-DTI0MDExMjEyNTc0NloXDTM0MDEwOTEyNTc0NlowQzELMAkGA1UEBhMCQ04xFjAU
-BgNVBAsMDUFwYWNoZSBBUElTSVgxHDAaBgNVBAMME29jc3AgdGVzdCBDQSBzaWdu
-ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC+xUOj+eNfA5Epger
-Ru0ZYXPQtq37rvsQzmSFFtrZvvusUpuJ4fvWXg2jl+XPaAUjfd1TWnirXfGQAGkY
-06CShSW00PvxCxm1JvJiEjCCq6Xm5AVqf0vlWry2GYho49xYhbSGdPkS/s9l2q0H
-J06nEdqpWFlQ0xE8x5sSYgwSfNvon/y+VX30tkWoAg1BrgH5v13MCPKSJBzUugbO
-Ey+YpOzk7l9HuWL5MAg4iIX8y5tHzGueGeCJryxXxrU0ESC5E5ba9URoqD0UAM76
-cvM6UoLseUHfehwE+oRf8ZSShwgpK8QYgVFLTF+X3cNgCOrFB4oOb9Lvm21N57DB
-fWohAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUA
-A4IBAQAZsTHO1gB9PMwQT5zH5aS64c59sgfKHuiJGLlJdMPsT9gp2kYBIJXJCz0N
-wSRcCUu6MpE+bwuXaYhNRjSegsgh1IUKhYmbwkksnixMAR3DLRJwhTZcRqui6uVb
-YfHFwaGKeiCrbu7E4cw+tAdN8+Am2p96kwD4t9vSSFmfdf0qJoiLufQbThW/TqQx
-Lnn426fkLNKqn489yvm1Aot0KTB/t73oVdFNS+qDYqaOoqYyJtKOm3yXSM2EUowp
-NTeRIpWyb8//G+zahG2fQ9t7vqS8zo9PyRqZJumUxJclPJRe++6IqXHkX+hyp+o1
-8cndoRbIYiaJw9b/bTcqqwlWDPcI
+MIIEojCCAwqgAwIBAgIJAK253pMhgCkxMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
+BAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxDzANBgNVBAcMBlpodUhhaTEPMA0G
+A1UECgwGaXJlc3R5MREwDwYDVQQDDAh0ZXN0LmNvbTAgFw0xOTA2MjQyMjE4MDVa
+GA8yMTE5MDUzMTIyMTgwNVowVjELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5n
+RG9uZzEPMA0GA1UEBwwGWmh1SGFpMQ8wDQYDVQQKDAZpcmVzdHkxETAPBgNVBAMM
+CHRlc3QuY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAyCM0rqJe
+cvgnCfOw4fATotPwk5Ba0gC2YvIrO+gSbQkyxXF5jhZB3W6BkWUWR4oNFLLSqcVb
+VDPitz/Mt46Mo8amuS6zTbQetGnBARzPLtmVhJfoeLj0efMiOepOSZflj9Ob4yKR
+2bGdEFOdHPjm+4ggXU9jMKeLqdVvxll/JiVFBW5smPtW1Oc/BV5terhscJdOgmRr
+abf9xiIis9/qVYfyGn52u9452V0owUuwP7nZ01jt6iMWEGeQU6mwPENgvj1olji2
+WjdG2UwpUVp3jp3l7j1ekQ6mI0F7yI+LeHzfUwiyVt1TmtMWn1ztk6FfLRqwJWR/
+Evm95vnfS3Le4S2ky3XAgn2UnCMyej3wDN6qHR1onpRVeXhrBajbCRDRBMwaNw/1
+/3Uvza8QKK10PzQR6OcQ0xo9psMkd9j9ts/dTuo2fzaqpIfyUbPST4GdqNG9NyIh
+/B9g26/0EWcjyO7mYVkaycrtLMaXm1u9jyRmcQQI1cGrGwyXbrieNp63AgMBAAGj
+cTBvMB0GA1UdDgQWBBSZtSvV8mBwl0bpkvFtgyiOUUcbszAfBgNVHSMEGDAWgBSZ
+tSvV8mBwl0bpkvFtgyiOUUcbszAMBgNVHRMEBTADAQH/MB8GA1UdEQQYMBaCCHRl
+c3QuY29tggoqLnRlc3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBgQAHGEul/x7ViVgC
+tC8CbXEslYEkj1XVr2Y4hXZXAXKd3W7V3TC8rqWWBbr6L/tsSVFt126V5WyRmOaY
+1A5pju8VhnkhYxYfZALQxJN2tZPFVeME9iGJ9BE1wPtpMgITX8Rt9kbNlENfAgOl
+PYzrUZN1YUQjX+X8t8/1VkSmyZysr6ngJ46/M8F16gfYXc9zFj846Z9VST0zCKob
+rJs3GtHOkS9zGGldqKKCj+Awl0jvTstI4qtS1ED92tcnJh5j/SSXCAB5FgnpKZWy
+hme45nBQj86rJ8FhN+/aQ9H9/2Ib6Q4wbpaIvf4lQdLUEcWAeZGW6Rk0JURwEog1
+7/mMgkapDglgeFx9f/XztSTrkHTaX4Obr+nYrZ2V4KOB4llZnK5GeNjDrOOJDk2y
+IJFgBOZJWyS93dQfuKEj42hA79MuX64lMSCVQSjX+ipR289GQZqFrIhiJxLyA+Ve
+U/OOcSRr39Kuis/JJ+DkgHYa/PWHZhnJQBxcqXXk1bJGw9BNbhM=
 -----END CERTIFICATE-----
diff --git a/t/certs/ocsp/signer.crt b/t/certs/ocsp/signer.crt
index b85bd0a52eaa..ecbbc045143f 100644
--- a/t/certs/ocsp/signer.crt
+++ b/t/certs/ocsp/signer.crt
@@ -1,19 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDETCCAfmgAwIBAgIBBTANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJDTjEW
-MBQGA1UECwwNQXBhY2hlIEFQSVNJWDEVMBMGA1UEAwwMb2NzcCB0ZXN0IENBMB4X
-DTI0MDExMjEyNTc0NloXDTM0MDEwOTEyNTc0NlowQzELMAkGA1UEBhMCQ04xFjAU
-BgNVBAsMDUFwYWNoZSBBUElTSVgxHDAaBgNVBAMME29jc3AgdGVzdCBDQSBzaWdu
-ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC+xUOj+eNfA5Epger
-Ru0ZYXPQtq37rvsQzmSFFtrZvvusUpuJ4fvWXg2jl+XPaAUjfd1TWnirXfGQAGkY
-06CShSW00PvxCxm1JvJiEjCCq6Xm5AVqf0vlWry2GYho49xYhbSGdPkS/s9l2q0H
-J06nEdqpWFlQ0xE8x5sSYgwSfNvon/y+VX30tkWoAg1BrgH5v13MCPKSJBzUugbO
-Ey+YpOzk7l9HuWL5MAg4iIX8y5tHzGueGeCJryxXxrU0ESC5E5ba9URoqD0UAM76
-cvM6UoLseUHfehwE+oRf8ZSShwgpK8QYgVFLTF+X3cNgCOrFB4oOb9Lvm21N57DB
-fWohAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUA
-A4IBAQAZsTHO1gB9PMwQT5zH5aS64c59sgfKHuiJGLlJdMPsT9gp2kYBIJXJCz0N
-wSRcCUu6MpE+bwuXaYhNRjSegsgh1IUKhYmbwkksnixMAR3DLRJwhTZcRqui6uVb
-YfHFwaGKeiCrbu7E4cw+tAdN8+Am2p96kwD4t9vSSFmfdf0qJoiLufQbThW/TqQx
-Lnn426fkLNKqn489yvm1Aot0KTB/t73oVdFNS+qDYqaOoqYyJtKOm3yXSM2EUowp
-NTeRIpWyb8//G+zahG2fQ9t7vqS8zo9PyRqZJumUxJclPJRe++6IqXHkX+hyp+o1
-8cndoRbIYiaJw9b/bTcqqwlWDPcI
+MIIDqzCCAhOgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDTjES
+MBAGA1UECAwJR3VhbmdEb25nMQ8wDQYDVQQHDAZaaHVIYWkxDzANBgNVBAoMBmly
+ZXN0eTERMA8GA1UEAwwIdGVzdC5jb20wHhcNMjQwMTEyMTUwMDU1WhcNMzQwMTA5
+MTUwMDU1WjBDMQswCQYDVQQGEwJDTjEWMBQGA1UECwwNQXBhY2hlIEFQSVNJWDEc
+MBoGA1UEAwwTb2NzcCB0ZXN0IENBIHNpZ25lcjCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAML7FQ6P5418DkSmB6tG7Rlhc9C2rfuu+xDOZIUW2tm++6xS
+m4nh+9ZeDaOX5c9oBSN93VNaeKtd8ZAAaRjToJKFJbTQ+/ELGbUm8mISMIKrpebk
+BWp/S+VavLYZiGjj3FiFtIZ0+RL+z2XarQcnTqcR2qlYWVDTETzHmxJiDBJ82+if
+/L5VffS2RagCDUGuAfm/XcwI8pIkHNS6Bs4TL5ik7OTuX0e5YvkwCDiIhfzLm0fM
+a54Z4ImvLFfGtTQRILkTltr1RGioPRQAzvpy8zpSgux5Qd96HAT6hF/xlJKHCCkr
+xBiBUUtMX5fdw2AI6sUHig5v0u+bbU3nsMF9aiECAwEAAaMXMBUwEwYDVR0lBAww
+CgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggGBALd3mJXvzu9TDTqfGZMkfGqD
+hv/GdV0uaPpNlPZyOkS31t+iLd5R1EZz8wKLegvOdm3uKA8NFx9uB7O6mWSneJ4R
+VbrcJnFzl5C/SbgWIAt/N0uujO8xuC5YWlHeig5IJc8pmnacJ4y7FhTVfsw1u93d
+evGyCIJ3TyYcZTDVuZruaW+xIRa+QJt3Q+CvkMn+aaxs1ji08ZjodGVu9+jsbb7f
+DLgl3FuLf8DlKqhRh+hoOPUTI496m3ZTozb7cs0TfHFPSL0pZ2Rdbz4WGHfX0LRF
+E8lweAsyd12OySr2PwiRY8m18t9HrPNbk7bAaVJLqehUjvB1Am5+Lgjicdy4HNhh
+gDlt5hjLV2criJpq9QmKz7Veu2V42FNJR7DumnJsbUjBVlh+rgN42j8QnPAqylZ4
+4gcjhu1cGJd0miEN+TjzzqdZqjVvINepBR1j6pOF3fdfea8IFtJ1dzTpkU4Bq2P5
+CYqmKqhkAkEIYbwQ4fqehrcMrAAno3/ikW5PqxetnQ==
 -----END CERTIFICATE-----
diff --git a/t/plugin/ocsp-stapling.t b/t/plugin/ocsp-stapling.t
index 6516ee57fe00..811005fc413f 100644
--- a/t/plugin/ocsp-stapling.t
+++ b/t/plugin/ocsp-stapling.t
@@ -23,6 +23,14 @@ log_level('info');
 no_root_location();
 no_shuffle();
 
+my $openssl_bin = $ENV{OPENSSL_BIN};
+if (! -x $openssl_bin) {
+    $ENV{OPENSSL_BIN} = '/usr/local/openresty/openssl3/bin/openssl';
+    if (! -x $ENV{OPENSSL_BIN}) {
+        plan(skip_all => "openssl3 not installed");
+    }
+}
+
 add_block_preprocessor(sub {
     my ($block) = @_;
 
@@ -58,7 +66,7 @@ location /t {
             cert = ssl_cert,
             key = ssl_key,
             sni = "test.com",
-            ocsp_stapling = true
+            ocsp_stapling = {}
         }
 
         local code, body = t.test('/apisix/admin/ssls/1',
@@ -81,7 +89,142 @@ additional properties forbidden, found ocsp_stapling
 
 
 
-=== TEST 2: enable ocsp-stapling plugin, set cert which not support ocsp
+=== TEST 2: check schema when enabled ocsp-stapling plugin
+--- config
+location /t {
+    content_by_lua_block {
+        local core = require("apisix.core")
+        local json = require("toolkit.json")
+
+        for _, conf in ipairs({
+            {},
+            {enabled = true},
+            {skip_verify = true},
+            {cache_ttl = 6000},
+            {enabled = true, skip_verify = true, cache_ttl = 6000},
+        }) do
+            local ok, err = core.schema.check(core.schema.ssl.properties.ocsp_stapling, conf)
+            if not ok then
+                ngx.say(err)
+                return
+            end
+            ngx.say(json.encode(conf))
+        end
+    }
+}
+--- response_body
+{"cache_ttl":3600,"enabled":false,"skip_verify":false}
+{"cache_ttl":3600,"enabled":true,"skip_verify":false}
+{"cache_ttl":3600,"enabled":false,"skip_verify":true}
+{"cache_ttl":6000,"enabled":false,"skip_verify":false}
+{"cache_ttl":6000,"enabled":true,"skip_verify":true}
+
+
+
+=== TEST 3: ssl config without "ocsp-stapling" field when enabled ocsp-stapling plugin
+--- config
+location /t {
+    content_by_lua_block {
+        local core = require("apisix.core")
+        local t = require("lib.test_admin")
+
+        local ssl_cert = t.read_file("t/certs/apisix.crt")
+        local ssl_key =  t.read_file("t/certs/apisix.key")
+
+        local data = {
+            cert = ssl_cert,
+            key = ssl_key,
+            sni = "test.com",
+        }
+
+        local code, body = t.test('/apisix/admin/ssls/1',
+            ngx.HTTP_PUT,
+            core.json.encode(data)
+        )
+
+        if code >= 300 then
+            ngx.status = code
+            ngx.say(body)
+            return
+        end
+
+        ngx.say(body)
+    }
+}
+--- response_body
+passed
+
+
+
+=== TEST 4: hit, handshake ok:1
+--- exec
+echo -n "Q" | $OPENSSL_BIN s_client -connect localhost:1994 -servername test.com -status 2>&1 | cat
+--- response_body eval
+qr/CONNECTED/
+--- error_log
+no 'ocsp_stapling' field found, no need to run ocsp-stapling plugin
+
+
+
+=== TEST 5: hit, no ocsp response send:2
+--- exec
+echo -n "Q" | $OPENSSL_BIN s_client -connect localhost:1994 -servername test.com -status 2>&1 | cat
+--- response_body eval
+qr/OCSP response: no response sent/
+--- error_log
+no 'ocsp_stapling' field found, no need to run ocsp-stapling plugin
+
+
+
+=== TEST 6: client hello without status request extension required when enabled ocsp-stapling plugin
+--- config
+location /t {
+    content_by_lua_block {
+        local core = require("apisix.core")
+        local t = require("lib.test_admin")
+
+        local ssl_cert = t.read_file("t/certs/ocsp/rsa_good.crt")
+        local ssl_key =  t.read_file("t/certs/ocsp/rsa_good.key")
+
+        local data = {
+            cert = ssl_cert,
+            key = ssl_key,
+            sni = "ocsp.test.com",
+            ocsp_stapling = {
+                enabled = true
+            }
+        }
+
+        local code, body = t.test('/apisix/admin/ssls/1',
+            ngx.HTTP_PUT,
+            core.json.encode(data)
+        )
+
+        if code >= 300 then
+            ngx.status = code
+            ngx.say(body)
+            return
+        end
+
+        ngx.say(body)
+    }
+}
+--- response_body
+passed
+
+
+
+=== TEST 7: hit, handshake ok and no ocsp response send
+--- exec
+echo -n "Q" | $OPENSSL_BIN s_client -connect localhost:1994 -servername ocsp.test.com 2>&1 | cat
+--- response_body eval
+qr/CONNECTED/
+--- error_log
+no status request required, no need to send ocsp response
+
+
+
+=== TEST 8: cert without ocsp supported when enabled ocsp-stapling plugin
 --- config
 location /t {
     content_by_lua_block {
@@ -95,7 +238,9 @@ location /t {
             cert = ssl_cert,
             key = ssl_key,
             sni = "test.com",
-            ocsp_stapling = true
+            ocsp_stapling = {
+                enabled = true
+            }
         }
 
         local code, body = t.test('/apisix/admin/ssls/1',
@@ -117,41 +262,60 @@ passed
 
 
 
-=== TEST 3: no response send, get ocsp responder url failed:1
+=== TEST 9: hit, handshake ok:1
 --- exec
-openssl s_client -connect localhost:1994 -servername test.com -status
---- response_body_like eval
+echo -n "Q" | $OPENSSL_BIN s_client -connect localhost:1994 -servername test.com -status 2>&1 | cat
+--- response_body eval
 qr/CONNECTED/
 --- error_log
-ocsp response will not send, error info: failed to get ocsp url: nil
+no ocsp response send: failed to get ocsp url: cert not contains authority_information_access extension
 
 
 
-=== TEST 4: no response send, get ocsp responder url failed:2
+=== TEST 10: hit, no ocsp response send due to get ocsp responder url failed:2
 --- exec
-openssl s_client -connect localhost:1994 -servername test.com -status
---- response_body_like eval
+echo -n "Q" | $OPENSSL_BIN s_client -connect localhost:1994 -servername test.com -status 2>&1 | cat
+--- response_body eval
 qr/OCSP response: no response sent/
 --- error_log
-ocsp response will not send, error info: failed to get ocsp url: nil
+no ocsp response send: failed to get ocsp url: cert not contains authority_information_access extension
 
 
 
-=== TEST 5: enable ocsp-stapling plugin, set cert which support ocsp
+=== TEST 11: run ocsp responseder, will exit when test finished
+--- config
+location /t {
+    content_by_lua_block {
+        local shell = require("resty.shell")
+        local cmd = [[ openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/apisix.crt -nrequest 16 2>&1 1>/dev/null & ]]
+        local ok, stdout, stderr, reason, status = shell.run(cmd, nil, 1000, 8096)
+        if not ok then
+            ngx.log(ngx.WARN, "failed to execute the script with status: " .. status .. ", reason: " .. reason .. ", stderr: " .. stderr)
+            return
+        end
+        ngx.print(stderr)
+    }
+}
+
+
+
+=== TEST 12: cert with ocsp supported when enabled ocsp-stapling plugin
 --- config
 location /t {
     content_by_lua_block {
         local core = require("apisix.core")
         local t = require("lib.test_admin")
 
-        local ssl_cert = t.read_file("t/certs/ocsp/ocsp_rsa.crt")
-        local ssl_key =  t.read_file("t/certs/ocsp/ocsp_rsa.key")
+        local ssl_cert = t.read_file("t/certs/ocsp/rsa_good.crt")
+        local ssl_key =  t.read_file("t/certs/ocsp/rsa_good.key")
 
         local data = {
             cert = ssl_cert,
             key = ssl_key,
             sni = "ocsp.test.com",
-            ocsp_stapling = true
+            ocsp_stapling = {
+                enabled = true
+            }
         }
 
         local code, body = t.test('/apisix/admin/ssls/1',
@@ -173,36 +337,36 @@ passed
 
 
 
-=== TEST 6: hit, get ocsp response:1
+=== TEST 13: hit, handshake ok:1
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
---- response_body_like eval
+echo -n "Q" | $OPENSSL_BIN s_client -status -connect localhost:1994 -servername ocsp.test.com 2>&1 | cat
+--- max_size: 16096
+--- response_body eval
 qr/CONNECTED/
 
 
 
-=== TEST 7: hit, get ocsp response:2
+=== TEST 14: hit, get ocsp response and status is good:2
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
---- response_body_like eval
+echo -n "Q" | $OPENSSL_BIN s_client -status -connect localhost:1994 -servername ocsp.test.com 2>&1 | cat
+--- max_size: 16096
+--- response_body eval
 qr/Cert Status: good/
 
 
 
-=== TEST 8: enable ocsp-stapling plugin, set muilt cert with ocsp support
+=== TEST 15: muilt cert with ocsp supported when enabled ocsp-stapling plugin
 --- config
 location /t {
     content_by_lua_block {
         local core = require("apisix.core")
         local t = require("lib.test_admin")
 
-        local rsa_cert = t.read_file("t/certs/ocsp/ocsp_rsa.crt")
-        local rsa_key =  t.read_file("t/certs/ocsp/ocsp_rsa.key")
+        local rsa_cert = t.read_file("t/certs/ocsp/rsa_good.crt")
+        local rsa_key =  t.read_file("t/certs/ocsp/rsa_good.key")
 
-        local ecc_cert = t.read_file("t/certs/ocsp/ocsp_ecc.crt")
-        local ecc_key =  t.read_file("t/certs/ocsp/ocsp_ecc.key")
+        local ecc_cert = t.read_file("t/certs/ocsp/ecc_good.crt")
+        local ecc_key =  t.read_file("t/certs/ocsp/ecc_good.key")
 
         local data = {
             cert = rsa_cert,
@@ -210,7 +374,9 @@ location /t {
             certs = { ecc_cert },
             keys = { ecc_key },
             sni = "ocsp.test.com",
-            ocsp_stapling = true
+            ocsp_stapling = {
+                enabled = true
+            }
         }
 
         local code, body = t.test('/apisix/admin/ssls/1',
@@ -232,75 +398,77 @@ passed
 
 
 
-=== TEST 9: hit ecc cert, get ocsp response:1
+=== TEST 16: hit ecc cert, handshake ok:1
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256
---- response_body_like eval
+echo -n "Q" | $OPENSSL_BIN s_client -connect localhost:1994 -servername ocsp.test.com -status -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 2>&1 | cat
+--- max_size: 16096
+--- response_body eval
 qr/CONNECTED/
 
 
 
-=== TEST 10: hit ecc cert, get ocsp response:2
+=== TEST 17: hit ecc cert, get cert signature type:2
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256
---- response_body_like eval
+echo -n "Q" | $OPENSSL_BIN s_client -connect localhost:1994 -servername ocsp.test.com -status -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 2>&1 | cat
+--- max_size: 16096
+--- response_body eval
 qr/Peer signature type: ECDSA/
 
 
 
-=== TEST 11: hit ecc cert, get ocsp response:3
+=== TEST 18: hit ecc cert, get ocsp response and status is good:3
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256
---- response_body_like eval
+echo -n "Q" | $OPENSSL_BIN s_client -connect localhost:1994 -servername ocsp.test.com -status -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 2>&1 | cat
+--- max_size: 16096
+--- response_body eval
 qr/Cert Status: good/
 
 
 
-=== TEST 12: hit rsa cert, get ocsp response:1
+=== TEST 19: hit rsa cert, handshake ok:1
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256
---- response_body_like eval
+echo -n "Q" | $OPENSSL_BIN s_client -connect localhost:1994 -servername ocsp.test.com -status -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256 2>&1 | cat
+--- max_size: 16096
+--- response_body eval
 qr/CONNECTED/
 
 
 
-=== TEST 13: hit rsa cert, get ocsp response:2
+=== TEST 20: hit rsa cert, get cert signature type:2
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256
---- response_body_like eval
+echo -n "Q" | $OPENSSL_BIN s_client -connect localhost:1994 -servername ocsp.test.com -status -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256 2>&1 | cat
+--- max_size: 16096
+--- response_body eval
 qr/Peer signature type: RSA/
 
 
 
-=== TEST 14: hit rsa cert, get ocsp response:3
+=== TEST 21: hit rsa cert, get ocsp response and status is good:3
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256
---- response_body_like eval
+echo -n "Q" | $OPENSSL_BIN s_client -connect localhost:1994 -servername ocsp.test.com -status -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256 2>&1 | cat
+--- max_size: 16096
+--- response_body eval
 qr/Cert Status: good/
 
 
 
-=== TEST 15: enable ocsp-stapling plugin, set cert which support ocsp and revoked
+=== TEST 22: cert with ocsp supported and revoked when enabled ocsp-stapling plugin
 --- config
 location /t {
     content_by_lua_block {
         local core = require("apisix.core")
         local t = require("lib.test_admin")
 
-        local ssl_cert = t.read_file("t/certs/ocsp/ocsp_rsa_revoked.crt")
-        local ssl_key =  t.read_file("t/certs/ocsp/ocsp_rsa_revoked.key")
+        local ssl_cert = t.read_file("t/certs/ocsp/rsa_revoked.crt")
+        local ssl_key =  t.read_file("t/certs/ocsp/rsa_revoked.key")
     
         local data = {
             cert = ssl_cert,
             key = ssl_key,
-            sni = "ocsp.test.com",
-            ocsp_stapling = true
+            sni = "ocsp-revoked.test.com",
+            ocsp_stapling = {
+                enabled = true
+            }
         }
 
         local code, body = t.test('/apisix/admin/ssls/1',
@@ -322,52 +490,100 @@ passed
 
 
 
-=== TEST 16: hit revoked rsa cert, no ocsp response send:1
+=== TEST 23: hit revoked rsa cert, handshake ok:1
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
---- response_body_like eval
+echo -n "Q" | $OPENSSL_BIN s_client -status -connect localhost:1994 -servername ocsp-revoked.test.com 2>&1 | cat
+--- response_body eval
 qr/CONNECTED/
 --- error_log
-ocsp response will not send, error info: failed to validate ocsp response: certificate status "revoked" in the OCSP response
+no ocsp response send: failed to validate ocsp response: certificate status "revoked" in the OCSP response
 
 
 
-=== TEST 17: hit revoked rsa cert, no ocsp response send:2
+=== TEST 24: hit revoked rsa cert, no ocsp response send:2
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
---- response_body_like eval
+echo -n "Q" | $OPENSSL_BIN s_client -status -connect localhost:1994 -servername ocsp-revoked.test.com 2>&1 | cat
+--- response_body eval
 qr/OCSP response: no response sent/
 --- error_log
-ocsp response will not send, error info: failed to validate ocsp response: certificate status "revoked" in the OCSP response
+no ocsp response send: failed to validate ocsp response: certificate status "revoked" in the OCSP response
+
+
+
+=== TEST 25: cert with ocsp supported and revoked when enabled ocsp-stapling plugin, and skip verify
+--- config
+location /t {
+    content_by_lua_block {
+        local core = require("apisix.core")
+        local t = require("lib.test_admin")
+
+        local ssl_cert = t.read_file("t/certs/ocsp/rsa_revoked.crt")
+        local ssl_key =  t.read_file("t/certs/ocsp/rsa_revoked.key")
+    
+        local data = {
+            cert = ssl_cert,
+            key = ssl_key,
+            sni = "ocsp-revoked.test.com",
+            ocsp_stapling = {
+                enabled = true,
+                skip_verify = true,
+            }
+        }
+
+        local code, body = t.test('/apisix/admin/ssls/1',
+            ngx.HTTP_PUT,
+            core.json.encode(data)
+        )
+
+        if code >= 300 then
+            ngx.status = code
+            ngx.say(body)
+            return
+        end
+
+        ngx.say(body)
+    }
+}
+--- response_body
+passed
 
 
 
-=== TEST 18: hit revoked rsa cert, no ocsp response send:3
+=== TEST 26: hit revoked rsa cert, handshake ok:1
+--- max_size: 16096
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
---- error_log
-ocsp response will not send, error info: failed to validate ocsp response: certificate status "revoked" in the OCSP response
+echo -n "Q" | $OPENSSL_BIN s_client -status -connect localhost:1994 -servername ocsp-revoked.test.com 2>&1 | cat
+--- response_body eval
+qr/CONNECTED/
+
+
+
+=== TEST 27: hit revoked rsa cert, get ocsp response and status is revoked:2
+--- exec
+echo -n "Q" | $OPENSSL_BIN s_client -status -connect localhost:1994 -servername ocsp-revoked.test.com 2>&1 | cat
+--- max_size: 16096
+--- response_body eval
+qr/Cert Status: revoked/
 
 
 
-=== TEST 19: enable ocsp-stapling plugin, set cert which support ocsp and unknown status
+=== TEST 28: cert with ocsp supported and unknown status when enabled ocsp-stapling plugin
 --- config
 location /t {
     content_by_lua_block {
         local core = require("apisix.core")
         local t = require("lib.test_admin")
 
-        local ssl_cert = t.read_file("t/certs/ocsp/ocsp_rsa_unknown.crt")
-        local ssl_key =  t.read_file("t/certs/ocsp/ocsp_rsa_unknown.key")
+        local ssl_cert = t.read_file("t/certs/ocsp/rsa_unknown.crt")
+        local ssl_key =  t.read_file("t/certs/ocsp/rsa_unknown.key")
     
         local data = {
             cert = ssl_cert,
             key = ssl_key,
-            sni = "ocsp.test.com",
-            ocsp_stapling = true
+            sni = "ocsp-unknown.test.com",
+            ocsp_stapling = {
+                enabled = true
+            }
         }
 
         local code, body = t.test('/apisix/admin/ssls/1',
@@ -389,31 +605,77 @@ passed
 
 
 
-=== TEST 20: hit unknown rsa cert, no ocsp response send:1
+=== TEST 29: hit unknown rsa cert, handshake ok:1
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
---- response_body_like eval
+echo -n "Q" | $OPENSSL_BIN s_client -status -connect localhost:1994 -servername ocsp-unknown.test.com 2>&1 | cat
+--- response_body eval
 qr/CONNECTED/
 --- error_log
-ocsp response will not send, error info: failed to validate ocsp response: certificate status "unknown" in the OCSP response
+no ocsp response send: failed to validate ocsp response: certificate status "unknown" in the OCSP response
 
 
 
-=== TEST 21: hit unknown rsa cert, no ocsp response send:2
+=== TEST 30: hit unknown rsa cert, no ocsp response send:2
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
---- response_body_like eval
+echo -n "Q" | $OPENSSL_BIN s_client -status -connect localhost:1994 -servername ocsp-unknown.test.com 2>&1 | cat
+--- response_body eval
 qr/OCSP response: no response sent/
 --- error_log
-ocsp response will not send, error info: failed to validate ocsp response: certificate status "unknown" in the OCSP response
+no ocsp response send: failed to validate ocsp response: certificate status "unknown" in the OCSP response
+
+
+
+=== TEST 31: cert with ocsp supported and unknown status when enabled ocsp-stapling plugin, and skip verify
+--- config
+location /t {
+    content_by_lua_block {
+        local core = require("apisix.core")
+        local t = require("lib.test_admin")
+
+        local ssl_cert = t.read_file("t/certs/ocsp/rsa_unknown.crt")
+        local ssl_key =  t.read_file("t/certs/ocsp/rsa_unknown.key")
+    
+        local data = {
+            cert = ssl_cert,
+            key = ssl_key,
+            sni = "ocsp-unknown.test.com",
+            ocsp_stapling = {
+                enabled = true,
+                skip_verify = true,
+            }
+        }
 
+        local code, body = t.test('/apisix/admin/ssls/1',
+            ngx.HTTP_PUT,
+            core.json.encode(data)
+        )
 
+        if code >= 300 then
+            ngx.status = code
+            ngx.say(body)
+            return
+        end
 
-=== TEST 22: hit unknown rsa cert, no ocsp response send:3
+        ngx.say(body)
+    }
+}
+--- response_body
+passed
+
+
+
+=== TEST 32: hit unknown rsa cert, handshake ok:1
+--- max_size: 16096
 --- exec
-openssl ocsp -index t/certs/ocsp/index.txt -port 11451 -rsigner t/certs/ocsp/signer.crt -rkey t/certs/ocsp/signer.key -CA t/certs/ocsp/ca.crt -text -nrequest 1 -resp_no_certs &
-openssl s_client -status -connect localhost:1994 -servername ocsp.test.com
---- error_log
-ocsp response will not send, error info: failed to validate ocsp response: certificate status "unknown" in the OCSP response
+echo -n "Q" | $OPENSSL_BIN s_client -status -connect localhost:1994 -servername ocsp-unknown.test.com 2>&1 | cat
+--- response_body eval
+qr/CONNECTED/
+
+
+
+=== TEST 33: hit unknown rsa cert, get ocsp response and status is unknown:2
+--- max_size: 16096
+--- exec
+echo -n "Q" | $OPENSSL_BIN s_client -status -connect localhost:1994 -servername ocsp-unknown.test.com 2>&1 | cat
+--- response_body eval
+qr/Cert Status: unknown/

From 493409c346483745d1968aa8e65c594a69f53554 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Sun, 14 Jan 2024 21:06:21 +0800
Subject: [PATCH 21/28] lint

---
 t/plugin/ocsp-stapling.t | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/t/plugin/ocsp-stapling.t b/t/plugin/ocsp-stapling.t
index 811005fc413f..1af469016979 100644
--- a/t/plugin/ocsp-stapling.t
+++ b/t/plugin/ocsp-stapling.t
@@ -461,7 +461,7 @@ location /t {
 
         local ssl_cert = t.read_file("t/certs/ocsp/rsa_revoked.crt")
         local ssl_key =  t.read_file("t/certs/ocsp/rsa_revoked.key")
-    
+
         local data = {
             cert = ssl_cert,
             key = ssl_key,
@@ -519,7 +519,7 @@ location /t {
 
         local ssl_cert = t.read_file("t/certs/ocsp/rsa_revoked.crt")
         local ssl_key =  t.read_file("t/certs/ocsp/rsa_revoked.key")
-    
+
         local data = {
             cert = ssl_cert,
             key = ssl_key,
@@ -576,7 +576,7 @@ location /t {
 
         local ssl_cert = t.read_file("t/certs/ocsp/rsa_unknown.crt")
         local ssl_key =  t.read_file("t/certs/ocsp/rsa_unknown.key")
-    
+
         local data = {
             cert = ssl_cert,
             key = ssl_key,
@@ -634,7 +634,7 @@ location /t {
 
         local ssl_cert = t.read_file("t/certs/ocsp/rsa_unknown.crt")
         local ssl_key =  t.read_file("t/certs/ocsp/rsa_unknown.key")
-    
+
         local data = {
             cert = ssl_cert,
             key = ssl_key,

From 031411294123983836711343c7bce6eb2701c569 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Mon, 15 Jan 2024 23:36:45 +0800
Subject: [PATCH 22/28] fix code lint

---
 apisix/plugins/ocsp-stapling.lua | 3 +--
 conf/config-default.yaml         | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/apisix/plugins/ocsp-stapling.lua b/apisix/plugins/ocsp-stapling.lua
index f4dab9db5fba..3175a24d7a41 100644
--- a/apisix/plugins/ocsp-stapling.lua
+++ b/apisix/plugins/ocsp-stapling.lua
@@ -26,7 +26,6 @@ local ngx_ssl = require("ngx.ssl")
 local radixtree_sni = require("apisix.ssl.router.radixtree_sni")
 local core = require("apisix.core")
 local apisix_ssl = require("apisix.ssl")
-local plugin = require("apisix.plugin")
 
 local plugin_name = "ocsp-stapling"
 local ocsp_resp_cache = ngx.shared[plugin_name]
@@ -149,7 +148,7 @@ local function set_ocsp_resp(full_chain_pem_cert, skip_verify, cache_ttl)
     end
 
     -- set the OCSP stapling
-    ok, err = ngx_ocsp.set_ocsp_status_resp(ocsp_resp)
+    local ok, err = ngx_ocsp.set_ocsp_status_resp(ocsp_resp)
     if not ok then
         return false, "failed to set ocsp status response: " .. err
     end
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
index 4892b153c3b5..3f93ac13f701 100755
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@@ -525,7 +525,7 @@ plugins:                           # plugin list (sorted by priority)
   # <- recommend to use priority (0, 100) for your custom plugins
   - example-plugin                 # priority: 0
   #- gm                            # priority: -43
-  #- ocsp-stapling                  # priority: -44
+  #- ocsp-stapling                 # priority: -44
   - aws-lambda                     # priority: -1899
   - azure-functions                # priority: -1900
   - openwhisk                      # priority: -1901

From 4b6e9d3cb37ab46e086dd12bdce96591c95ab0be Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Tue, 16 Jan 2024 10:34:21 +0800
Subject: [PATCH 23/28] fix license check

---
 .licenserc.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.licenserc.yaml b/.licenserc.yaml
index 8b423f25cdd1..0fed0908f520 100644
--- a/.licenserc.yaml
+++ b/.licenserc.yaml
@@ -54,5 +54,7 @@ header:
     - 'docs/**/*.md'
     - '.ignore_words'
     - '.luacheckrc'
+    # Exclude file contains certificate revocation information 
+    - 't/certs/ocsp/index.txt'
 
   comment: on-failure

From d92f1a4629b94916b33012cf09a76d59f787bd91 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Tue, 16 Jan 2024 10:55:47 +0800
Subject: [PATCH 24/28] fix ci error due to /apisix/admin/ssls/1 no exist

---
 t/plugin/ocsp-stapling.t | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/t/plugin/ocsp-stapling.t b/t/plugin/ocsp-stapling.t
index 1af469016979..2906f234cfe8 100644
--- a/t/plugin/ocsp-stapling.t
+++ b/t/plugin/ocsp-stapling.t
@@ -74,18 +74,13 @@ location /t {
             core.json.encode(data)
         )
 
-        if code >= 300 then
-            ngx.status = code
-            ngx.say(body)
-            return
-        end
-
-        ngx.say(body)
+        ngx.status = code
+        ngx.print(body)
     }
 }
 --- error_code: 400
---- error_log
-additional properties forbidden, found ocsp_stapling
+--- response_body
+{"error_msg":"invalid configuration: additional properties forbidden, found ocsp_stapling"}
 
 
 

From c9229d5f748d6c688b25ee3948cc36df0144063e Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Tue, 16 Jan 2024 11:01:00 +0800
Subject: [PATCH 25/28] lint

---
 .licenserc.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.licenserc.yaml b/.licenserc.yaml
index 0fed0908f520..6a6083501c94 100644
--- a/.licenserc.yaml
+++ b/.licenserc.yaml
@@ -54,7 +54,7 @@ header:
     - 'docs/**/*.md'
     - '.ignore_words'
     - '.luacheckrc'
-    # Exclude file contains certificate revocation information 
+    # Exclude file contains certificate revocation information
     - 't/certs/ocsp/index.txt'
 
   comment: on-failure

From afd68a8fd821c679428a436ebd59fd4de4be5832 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Thu, 18 Jan 2024 16:17:51 +0800
Subject: [PATCH 26/28] update

---
 apisix/plugins/ocsp-stapling.lua    | 93 ++++++++++-------------------
 apisix/ssl/router/radixtree_sni.lua |  1 +
 2 files changed, 32 insertions(+), 62 deletions(-)

diff --git a/apisix/plugins/ocsp-stapling.lua b/apisix/plugins/ocsp-stapling.lua
index 3175a24d7a41..233510f6082d 100644
--- a/apisix/plugins/ocsp-stapling.lua
+++ b/apisix/plugins/ocsp-stapling.lua
@@ -48,37 +48,6 @@ function _M.check_schema(conf)
 end
 
 
--- same as function set_pem_ssl_key() from "apisix.ssl.router.radixtree_sni"
-local function set_pem_ssl_key(sni, cert, pkey)
-    local r = get_request()
-    if r == nil then
-        return false, "no request found"
-    end
-
-    local parsed_cert, err = apisix_ssl.fetch_cert(sni, cert)
-    if not parsed_cert then
-        return false, "failed to parse PEM cert: " .. err
-    end
-
-    local ok, err = ngx_ssl.set_cert(parsed_cert)
-    if not ok then
-        return false, "failed to set PEM cert: " .. err
-    end
-
-    local parsed_pkey, err = apisix_ssl.fetch_pkey(sni, pkey)
-    if not parsed_pkey then
-        return false, "failed to parse PEM priv key: " .. err
-    end
-
-    ok, err = ngx_ssl.set_priv_key(parsed_pkey)
-    if not ok then
-        return false, "failed to set PEM priv key: " .. err
-    end
-
-    return true
-end
-
-
 local function fetch_ocsp_resp(der_cert_chain)
     core.log.info("fetch ocsp response from remote")
     local ocsp_url, err = ngx_ocsp.get_ocsp_responder_from_der_chain(der_cert_chain)
@@ -161,7 +130,7 @@ local original_set_cert_and_key
 local function set_cert_and_key(sni, value)
     if value.gm then
         -- should not run with gm plugin
-        core.log.info("gm plugin enabled, no need to run ocsp-stapling plugin")
+        core.log.warn("gm plugin enabled, no need to run ocsp-stapling plugin")
         return original_set_cert_and_key(sni, value)
     end
 
@@ -170,42 +139,42 @@ local function set_cert_and_key(sni, value)
         return original_set_cert_and_key(sni, value)
     end
 
-    if value.ocsp_stapling.enabled then
-        if not ngx.ctx.tls_ext_status_req then
-            core.log.info("no status request required, no need to send ocsp response")
-            return original_set_cert_and_key(sni, value)
-        end
+    if not value.ocsp_stapling.enabled then
+        return original_set_cert_and_key(sni, value)
+    end
 
-        local ok, err = set_pem_ssl_key(sni, value.cert, value.key)
-        if not ok then
-            return false, err
-        end
-        local fin_pem_cert = value.cert
-
-        -- multiple certificates support.
-        if value.certs then
-            for i = 1, #value.certs do
-                local cert = value.certs[i]
-                local key = value.keys[i]
-                ok, err = set_pem_ssl_key(sni, cert, key)
-                if not ok then
-                    return false, err
-                end
-                fin_pem_cert = cert
-            end
-        end
+    if not ngx.ctx.tls_ext_status_req then
+        core.log.info("no status request required, no need to send ocsp response")
+        return original_set_cert_and_key(sni, value)
+    end
 
-        local ok, err = set_ocsp_resp(fin_pem_cert,
-                                      value.ocsp_stapling.skip_verify,
-                                      value.ocsp_stapling.cache_ttl)
-        if not ok then
-            core.log.error("no ocsp response send: ", err)
+    local ok, err = radixtree_sni.set_pem_ssl_key(sni, value.cert, value.key)
+    if not ok then
+        return false, err
+    end
+    local fin_pem_cert = value.cert
+
+    -- multiple certificates support.
+    if value.certs then
+        for i = 1, #value.certs do
+            local cert = value.certs[i]
+            local key = value.keys[i]
+            ok, err = radixtree_sni.set_pem_ssl_key(sni, cert, key)
+            if not ok then
+                return false, err
+            end
+            fin_pem_cert = cert
         end
+    end
 
-        return true
+    local ok, err = set_ocsp_resp(fin_pem_cert,
+                                  value.ocsp_stapling.skip_verify,
+                                  value.ocsp_stapling.cache_ttl)
+    if not ok then
+        core.log.error("no ocsp response send: ", err)
     end
 
-    return original_set_cert_and_key(sni, value)
+    return true
 end
 
 
diff --git a/apisix/ssl/router/radixtree_sni.lua b/apisix/ssl/router/radixtree_sni.lua
index b6824852e0b3..c0c6ab994ea1 100644
--- a/apisix/ssl/router/radixtree_sni.lua
+++ b/apisix/ssl/router/radixtree_sni.lua
@@ -118,6 +118,7 @@ local function set_pem_ssl_key(sni, cert, pkey)
 
     return true
 end
+_M.set_pem_ssl_key = set_pem_ssl_key
 
 
 -- export the set cert/key process so we can hook it in the other plugins

From ec7dee34b66e0f1c184cd4fd551f85287c1fa0c4 Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Thu, 18 Jan 2024 16:20:58 +0800
Subject: [PATCH 27/28] fix

---
 t/plugin/ocsp-stapling.t | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/t/plugin/ocsp-stapling.t b/t/plugin/ocsp-stapling.t
index 2906f234cfe8..1d32c02f19c2 100644
--- a/t/plugin/ocsp-stapling.t
+++ b/t/plugin/ocsp-stapling.t
@@ -277,7 +277,7 @@ no ocsp response send: failed to get ocsp url: cert not contains authority_infor
 
 
 
-=== TEST 11: run ocsp responseder, will exit when test finished
+=== TEST 11: run ocsp responder, will exit when test finished
 --- config
 location /t {
     content_by_lua_block {

From 1d61d67485cbfe03be4787d657b64b6fca2edebd Mon Sep 17 00:00:00 2001
From: yuweizzz <yuwei764969238@gmail.com>
Date: Fri, 19 Jan 2024 14:50:11 +0800
Subject: [PATCH 28/28] lint

---
 apisix/plugins/ocsp-stapling.lua | 2 --
 1 file changed, 2 deletions(-)

diff --git a/apisix/plugins/ocsp-stapling.lua b/apisix/plugins/ocsp-stapling.lua
index 233510f6082d..cbe2bb1e4b79 100644
--- a/apisix/plugins/ocsp-stapling.lua
+++ b/apisix/plugins/ocsp-stapling.lua
@@ -18,14 +18,12 @@
 --
 
 local require = require
-local get_request = require("resty.core.base").get_request
 local http = require("resty.http")
 local ngx = ngx
 local ngx_ocsp = require("ngx.ocsp")
 local ngx_ssl = require("ngx.ssl")
 local radixtree_sni = require("apisix.ssl.router.radixtree_sni")
 local core = require("apisix.core")
-local apisix_ssl = require("apisix.ssl")
 
 local plugin_name = "ocsp-stapling"
 local ocsp_resp_cache = ngx.shared[plugin_name]