From 1f94b89309bcd56a2883cd1b0eb2db610251095e Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Thu, 23 Jul 2020 12:11:12 -0700
Subject: [PATCH] quic: refactor ocsp to use async function rather than
 event/callback

PR-URL: https://github.com/nodejs/node/pull/34498
Reviewed-By: Anna Henningsen <anna@addaleax.net>
---
 doc/api/quic.md                               |  91 ++++++++------
 lib/internal/quic/core.js                     | 117 ++++++++----------
 lib/internal/quic/util.js                     |  33 +++--
 src/quic/node_quic_session.cc                 |  10 +-
 src/quic/node_quic_session.h                  |   2 +-
 test/parallel/test-quic-client-server.js      |  69 ++++++-----
 .../test-quic-errors-quicsocket-connect.js    |   4 +-
 7 files changed, 177 insertions(+), 149 deletions(-)

diff --git a/doc/api/quic.md b/doc/api/quic.md
index 64b5f7ff087437..9a2d94080cde71 100644
--- a/doc/api/quic.md
+++ b/doc/api/quic.md
@@ -1188,23 +1188,6 @@ added: REPLACEME
 The `QuicClientSession` class implements the client side of a QUIC connection.
 Instances are created using the `quicsocket.connect()` method.
 
-#### Event: `'OCSPResponse'`
-<!-- YAML
-added: REPLACEME
--->
-
-Emitted when the `QuicClientSession` receives a requested OCSP certificate
-status response from the QUIC server peer.
-
-The callback is invoked with a single argument:
-
-* `response` {Buffer}
-
-Node.js does not perform any automatic validation or processing of the
-response.
-
-The `'OCSPResponse'` event will not be emitted more than once.
-
 #### Event: `'sessionTicket'`
 <!-- YAML
 added: REPLACEME
@@ -1313,24 +1296,6 @@ The callback is invoked with four arguments:
 
 The `'clientHello'` event will not be emitted more than once.
 
-#### Event: `'OCSPRequest'`
-<!-- YAML
-added: REPLACEME
--->
-
-Emitted when the `QuicServerSession` has received a OCSP certificate status
-request as part of the TLS handshake.
-
-The callback is invoked with three arguments:
-
-* `servername` {string}
-* `context` {tls.SecureContext}
-* `callback` {Function}
-
-The callback *must* be invoked in order for the TLS handshake to continue.
-
-The `'OCSPRequest'` event will not be emitted more than once.
-
 #### `quicserversession.addContext(servername\[, context\])`
 <!-- YAML
 added: REPLACEME
@@ -1681,6 +1646,7 @@ added: REPLACEME
     * `qpackBlockedStreams` {number}
     * `maxHeaderListSize` {number}
     * `maxPushes` {number}
+  * `ocspHandler` {Function} A function for handling [OCSP responses][].
   * `passphrase` {string} Shared passphrase used for a single private key and/or
     a PFX.
   * `pfx` {string|string[]|Buffer|Buffer[]|Object[]} PFX or PKCS12 encoded
@@ -1702,9 +1668,6 @@ added: REPLACEME
     `QuicClientSession` object.
   * `qlog` {boolean} Whether to enable ['qlog'][] for this session.
     Default: `false`.
-  * `requestOCSP` {boolean} If `true`, specifies that the OCSP status request
-    extension will be added to the client hello and an `'OCSPResponse'` event
-    will be emitted before establishing a secure communication.
   * `secureOptions` {number} Optionally affect the OpenSSL protocol behavior,
     which is not usually necessary. This should be used carefully if at all!
     Value is a numeric bitmask of the `SSL_OP_*` options from
@@ -1852,6 +1815,7 @@ added: REPLACEME
   * `maxStreamDataBidiLocal` {number}
   * `maxStreamDataBidiRemote` {number}
   * `maxStreamDataUni` {number}
+  * `ocspHandler` {Function} A function for handling [OCSP requests][].
   * `passphrase` {string} Shared passphrase used for a single private key
     and/or a PFX.
   * `pfx` {string|string[]|Buffer|Buffer[]|Object[]} PFX or PKCS12 encoded
@@ -2466,6 +2430,55 @@ async function myCustomLookup(address, type) {
 }
 ```
 
+### Online Certificate Status Protocol (OCSP)
+
+The QUIC implementation supports use of OCSP during the TLS 1.3 handshake
+of a new QUIC session.
+
+#### Requests
+
+A `QuicServerSession` can receive and process OCSP requests by setting the
+`ocspHandler` option in the `quicsocket.listen()` function. The value of
+the `ocspHandler` is an async function that must return an object with the
+OCSP response and, optionally, a new {tls.SecureContext} to use during the
+handshake.
+
+The handler function will be invoked with two arguments:
+
+* `type`: {string} Will always be `request` for `QuicServerSession`.
+* `options`: {Object}
+  * `servername` {string} The SNI server name.
+  * `context` {tls.SecureContext} The `SecureContext` currently used.
+
+```js
+async function ocspServerHandler(type, { servername, context }) {
+  // Process the request...
+  return { data: Buffer.from('The OCSP response') };
+}
+
+sock.listen({ ocspHandler: ocspServerHandler });
+```
+
+#### Responses
+
+A `QuicClientSession` can receive and process OCSP responses by setting the
+`ocspHandler` option in the `quicsocket.connect()` function. The value of
+the `ocspHandler` is an async function with no expected return value.
+
+The handler function will be invoked with two arguments:
+
+* `type`: {string} Will always be `response` for `QuicClientSession`.
+* `options`: {Object}
+  * `data`: {Buffer} The OCSP response provided by the server
+
+```js
+async function ocspClientHandler(type, { data }) {
+  console.log(data.toString());
+}
+
+sock.connect({ ocspHandler: ocspClientHandler });
+```
+
 [`crypto.getCurves()`]: crypto.html#crypto_crypto_getcurves
 [`stream.Readable`]: #stream_class_stream_readable
 [`tls.DEFAULT_ECDH_CURVE`]: #tls_tls_default_ecdh_curve
@@ -2475,6 +2488,8 @@ async function myCustomLookup(address, type) {
 [Certificate Object]: https://nodejs.org/dist/latest-v12.x/docs/api/tls.html#tls_certificate_object
 [custom DNS lookup function]: #quic_custom_dns_lookup_functions
 [modifying the default cipher suite]: tls.html#tls_modifying_the_default_tls_cipher_suite
+[OCSP requests]: #quic_online_certificate_status_protocol_ocsp
+[OCSP responses]: #quic_online_certificate_status_protocol_ocsp
 [OpenSSL Options]: crypto.html#crypto_openssl_options
 [Perfect Forward Secrecy]: #tls_perfect_forward_secrecy
 [promisified version of `lookup()`]: dns.html#dns_dnspromises_lookup_hostname_options
diff --git a/lib/internal/quic/core.js b/lib/internal/quic/core.js
index 6a227d3d4ae965..821b2839fe9375 100644
--- a/lib/internal/quic/core.js
+++ b/lib/internal/quic/core.js
@@ -209,11 +209,11 @@ const kAddSession = Symbol('kAddSession');
 const kAddStream = Symbol('kAddStream');
 const kBind = Symbol('kBind');
 const kClose = Symbol('kClose');
-const kCert = Symbol('kCert');
 const kClientHello = Symbol('kClientHello');
 const kDestroy = Symbol('kDestroy');
 const kEndpointBound = Symbol('kEndpointBound');
 const kEndpointClose = Symbol('kEndpointClose');
+const kHandleOcsp = Symbol('kHandleOcsp');
 const kHandshake = Symbol('kHandshake');
 const kHandshakeComplete = Symbol('kHandshakeComplete');
 const kHandshakePost = Symbol('kHandshakePost');
@@ -323,52 +323,37 @@ function onSessionClientHello(alpn, servername, ciphers) {
     clientHelloCallback.bind(this));
 }
 
-// Used only within the onSessionCert function. Invoked
-// to complete the session cert process.
-function sessionCertCallback(err, context, ocspResponse) {
-  if (err) {
-    this[owner_symbol].destroy(err);
-    return;
-  }
-  if (context != null && !context.context) {
-    this[owner_symbol].destroy(
-      new ERR_INVALID_ARG_TYPE(
-        'context',
-        'SecureContext',
-        context));
-  }
-  if (ocspResponse != null) {
-    if (typeof ocspResponse === 'string')
-      ocspResponse = Buffer.from(ocspResponse);
-    if (!isArrayBufferView(ocspResponse)) {
-      this[owner_symbol].destroy(
-        new ERR_INVALID_ARG_TYPE(
-          'ocspResponse',
-          ['string', 'Buffer', 'TypedArray', 'DataView'],
-          ocspResponse));
-    }
-  }
-  try {
-    this.onCertDone(context ? context.context : undefined, ocspResponse);
-  } catch (err) {
-    this[owner_symbol].destroy(err);
-  }
-}
-
 // This callback is only ever invoked for QuicServerSession instances,
 // and is used to trigger OCSP request processing when needed. The
 // user callback must invoke .onCertDone() in order for the
 // TLS handshake to continue.
 function onSessionCert(servername) {
-  this[owner_symbol][kCert](servername, sessionCertCallback.bind(this));
+  this[owner_symbol][kHandleOcsp](servername)
+    .then(({ context, data }) => {
+      if (context !== undefined && !context?.context)
+        throw new ERR_INVALID_ARG_TYPE('context', 'SecureContext', context);
+      if (data !== undefined) {
+        if (typeof data === 'string')
+          data = Buffer.from(data);
+        if (!isArrayBufferView(data)) {
+          throw new ERR_INVALID_ARG_TYPE(
+            'data',
+            ['string', 'Buffer', 'TypedArray', 'DataView'],
+            data);
+        }
+      }
+      this.onCertDone(context?.context, data);
+    })
+    .catch((error) => this[owner_symbol].destroy(error));
 }
 
 // This callback is only ever invoked for QuicClientSession instances,
 // and is used to deliver the OCSP response as provided by the server.
 // If the requestOCSP configuration option is false, this will never
 // be called.
-function onSessionStatus(response) {
-  this[owner_symbol][kCert](response);
+function onSessionStatus(data) {
+  this[owner_symbol][kHandleOcsp](data)
+    .catch((error) => this[owner_symbol].destroy(error));
 }
 
 // Called by the C++ internals when the TLS handshake is completed.
@@ -524,12 +509,12 @@ setCallbacks({
   onSocketServerBusy,
   onSessionReady,
   onSessionCert,
+  onSessionStatus,
   onSessionClientHello,
   onSessionClose,
   onSessionHandshake,
   onSessionKeylog,
   onSessionQlog,
-  onSessionStatus,
   onSessionTicket,
   onSessionVersionNegotiation,
   onStreamReady,
@@ -933,6 +918,7 @@ class QuicSocket extends EventEmitter {
     listenPending: false,
     listenPromise: undefined,
     lookup: undefined,
+    ocspHandler: undefined,
     server: undefined,
     serverSecureContext: undefined,
     sessions: new Set(),
@@ -1032,6 +1018,7 @@ class QuicSocket extends EventEmitter {
     return {
       highWaterMark: state.highWaterMark,
       defaultEncoding: state.defaultEncoding,
+      ocspHandler: state.ocspHandler,
     };
   }
 
@@ -1224,6 +1211,7 @@ class QuicSocket extends EventEmitter {
       lookup = state.lookup,
       defaultEncoding,
       highWaterMark,
+      ocspHandler,
       transportParams,
     } = validateQuicSocketListenOptions(options);
 
@@ -1239,6 +1227,7 @@ class QuicSocket extends EventEmitter {
     state.defaultEncoding = defaultEncoding;
     state.alpn = alpn;
     state.listenPending = true;
+    state.ocspHandler = ocspHandler;
 
     await this[kMaybeBind]();
 
@@ -1663,6 +1652,7 @@ class QuicSession extends EventEmitter {
     handshakeCompletePromiseReject: undefined,
     idleTimeout: false,
     maxPacketLength: NGTCP2_DEFAULT_MAX_PKTLEN,
+    ocspHandler: undefined,
     servername: undefined,
     socket: undefined,
     silentClose: false,
@@ -1685,6 +1675,7 @@ class QuicSession extends EventEmitter {
       servername,
       highWaterMark,
       defaultEncoding,
+      ocspHandler,
     } = options;
     super({ captureRejections: true });
     this.on('newListener', onNewListener);
@@ -1695,6 +1686,7 @@ class QuicSession extends EventEmitter {
     state.alpn = alpn;
     state.highWaterMark = highWaterMark;
     state.defaultEncoding = defaultEncoding;
+    state.ocspHandler = ocspHandler;
     socket[kAddSession](this);
   }
 
@@ -1758,6 +1750,7 @@ class QuicSession extends EventEmitter {
       state.state = new QuicSessionSharedState(handle.state);
       state.handshakeAckHistogram = new Histogram(handle.ack);
       state.handshakeContinuationHistogram = new Histogram(handle.rate);
+      state.state.ocspEnabled = state.ocspHandler !== undefined;
       if (handle.qlogStream !== undefined) {
         this[kSetQLogStream](handle.qlogStream);
         handle.qlogStream = undefined;
@@ -2284,8 +2277,9 @@ class QuicServerSession extends QuicSession {
     const {
       highWaterMark,
       defaultEncoding,
+      ocspHandler,
     } = options;
-    super(socket, { highWaterMark, defaultEncoding });
+    super(socket, { highWaterMark, defaultEncoding, ocspHandler });
     this[kSetHandle](handle);
   }
 
@@ -2301,26 +2295,18 @@ class QuicServerSession extends QuicSession {
       callback.bind(this[kHandle]));
   }
 
-  // Called only when an OCSPRequest event handler is registered.
-  // Allows user code the ability to answer the OCSP query.
-  [kCert](servername, callback) {
+  async [kHandleOcsp](servername) {
+    const internalState = this[kInternalState];
     const state = this[kInternalServerState];
-    const { serverSecureContext } = this.socket;
-    let { context } = serverSecureContext;
-
-    for (var i = 0; i < state.contexts.length; i++) {
-      const elem = state.contexts[i];
-      if (elem[0].test(servername)) {
-        context = elem[1];
-        break;
-      }
-    }
-
-    this.emit(
-      'OCSPRequest',
-      servername,
-      context,
-      callback.bind(this[kHandle]));
+    const { context } = this.socket.serverSecureContext;
+
+    return internalState.ocspHandler?.(
+      'request',
+      {
+        servername,
+        context,
+        contexts: Array.from(state.contexts)
+      });
   }
 
   get allowEarlyData() { return false; }
@@ -2358,10 +2344,10 @@ class QuicClientSession extends QuicSession {
       alpn,
       dcid,
       minDHSize,
+      ocspHandler,
       port,
       preferredAddressPolicy,
       remoteTransportParams,
-      requestOCSP,
       servername,
       sessionTicket,
       verifyHostnameIdentity,
@@ -2379,7 +2365,13 @@ class QuicClientSession extends QuicSession {
       );
     }
 
-    super(socket, { servername, alpn, highWaterMark, defaultEncoding });
+    super(socket, {
+      servername,
+      alpn,
+      highWaterMark,
+      defaultEncoding,
+      ocspHandler
+    });
     const state = this[kInternalClientState];
     state.handshakeStarted = autoStart;
     state.minDHSize = minDHSize;
@@ -2412,7 +2404,7 @@ class QuicClientSession extends QuicSession {
         this.alpnProtocol,
         (verifyHostnameIdentity ?
           QUICCLIENTSESSION_OPTION_VERIFY_HOSTNAME_IDENTITY : 0) |
-        (requestOCSP ?
+        (ocspHandler !== undefined ?
           QUICCLIENTSESSION_OPTION_REQUEST_OCSP : 0),
         qlog,
         autoStart);
@@ -2444,8 +2436,9 @@ class QuicClientSession extends QuicSession {
     return true;
   }
 
-  [kCert](response) {
-    this.emit('OCSPResponse', response);
+  async [kHandleOcsp](data) {
+    const internalState = this[kInternalState];
+    return internalState.ocspHandler?.('response', { data });
   }
 
   get allowEarlyData() {
diff --git a/lib/internal/quic/util.js b/lib/internal/quic/util.js
index f46a8714e00a20..3d0ebb0884af7a 100644
--- a/lib/internal/quic/util.js
+++ b/lib/internal/quic/util.js
@@ -72,7 +72,7 @@ const {
 
     IDX_QUICSESSION_STATE_KEYLOG_ENABLED,
     IDX_QUICSESSION_STATE_CLIENT_HELLO_ENABLED,
-    IDX_QUICSESSION_STATE_CERT_ENABLED,
+    IDX_QUICSESSION_STATE_OCSP_ENABLED,
     IDX_QUICSESSION_STATE_PATH_VALIDATED_ENABLED,
     IDX_QUICSESSION_STATE_USE_PREFERRED_ADDRESS_ENABLED,
     IDX_QUICSESSION_STATE_HANDSHAKE_CONFIRMED,
@@ -368,10 +368,10 @@ function validateQuicClientSessionOptions(options = {}) {
     alpn = '',
     dcid: dcid_value,
     minDHSize = 1024,
+    ocspHandler,
     port = 0,
     preferredAddressPolicy = 'ignore',
     remoteTransportParams,
-    requestOCSP = false,
     servername = (isIP(address) ? '' : address),
     sessionTicket,
     verifyHostnameIdentity = true,
@@ -434,23 +434,29 @@ function validateQuicClientSessionOptions(options = {}) {
   if (preferredAddressPolicy !== undefined)
     validateString(preferredAddressPolicy, 'options.preferredAddressPolicy');
 
-  validateBoolean(requestOCSP, 'options.requestOCSP');
   validateBoolean(verifyHostnameIdentity, 'options.verifyHostnameIdentity');
   validateBoolean(qlog, 'options.qlog');
 
+  if (ocspHandler !== undefined && typeof ocspHandler !== 'function') {
+    throw new ERR_INVALID_ARG_TYPE(
+      'options.ocspHandler',
+      'functon',
+      ocspHandler);
+  }
+
   return {
     autoStart,
     address,
     alpn,
     dcid,
     minDHSize,
+    ocspHandler,
     port,
     preferredAddressPolicy:
       preferredAddressPolicy === 'accept' ?
         QUIC_PREFERRED_ADDRESS_USE :
         QUIC_PREFERRED_ADDRESS_IGNORE,
     remoteTransportParams,
-    requestOCSP,
     servername,
     sessionTicket,
     verifyHostnameIdentity,
@@ -605,6 +611,7 @@ function validateQuicSocketListenOptions(options = {}) {
     alpn = NGHTTP3_ALPN_H3,
     defaultEncoding,
     highWaterMark,
+    ocspHandler,
     requestCert,
     rejectUnauthorized,
     lookup,
@@ -616,6 +623,12 @@ function validateQuicSocketListenOptions(options = {}) {
     validateBoolean(requestCert, 'options.requestCert');
   if (lookup !== undefined)
     validateLookup(lookup);
+  if (ocspHandler !== undefined && typeof ocspHandler !== 'function') {
+    throw new ERR_INVALID_ARG_TYPE(
+      'options.ocspHandler',
+      'functon',
+      ocspHandler);
+  }
   const transportParams =
     validateTransportParams(
       options,
@@ -625,6 +638,7 @@ function validateQuicSocketListenOptions(options = {}) {
   return {
     alpn,
     lookup,
+    ocspHandler,
     rejectUnauthorized,
     requestCert,
     transportParams,
@@ -804,9 +818,6 @@ function toggleListeners(state, event, on) {
     case 'pathValidation':
       state.pathValidatedEnabled = on;
       break;
-    case 'OCSPRequest':
-      state.certEnabled = on;
-      break;
     case 'usePreferredAddress':
       state.usePreferredAddressEnabled = on;
       break;
@@ -915,14 +926,14 @@ class QuicSessionSharedState {
       .writeUInt8(on ? 1 : 0, IDX_QUICSESSION_STATE_CLIENT_HELLO_ENABLED);
   }
 
-  get certEnabled() {
+  get ocspEnabled() {
     return Boolean(this[kHandle]
-      .readUInt8(IDX_QUICSESSION_STATE_CERT_ENABLED));
+      .readUInt8(IDX_QUICSESSION_STATE_OCSP_ENABLED));
   }
 
-  set certEnabled(on) {
+  set ocspEnabled(on) {
     this[kHandle]
-      .writeUInt8(on ? 1 : 0, IDX_QUICSESSION_STATE_CERT_ENABLED);
+      .writeUInt8(on ? 1 : 0, IDX_QUICSESSION_STATE_OCSP_ENABLED);
   }
 
   get pathValidatedEnabled() {
diff --git a/src/quic/node_quic_session.cc b/src/quic/node_quic_session.cc
index c8384509a6f46e..041c601a3c3268 100644
--- a/src/quic/node_quic_session.cc
+++ b/src/quic/node_quic_session.cc
@@ -944,11 +944,14 @@ int QuicCryptoContext::OnClientHello() {
 // function that must be called in order for the TLS handshake to
 // continue.
 int QuicCryptoContext::OnOCSP() {
-  if (LIKELY(session_->state_->cert_enabled == 0)) {
+  if (LIKELY(session_->state_->ocsp_enabled == 0)) {
     Debug(session(), "No OCSPRequest handler registered");
     return 1;
   }
 
+  if (!session_->is_server())
+    return 1;
+
   Debug(session(), "Client is requesting an OCSP Response");
   TLSCallbackScope callback_scope(this);
 
@@ -983,7 +986,7 @@ void QuicCryptoContext::OnOCSPDone(
       [&]() { set_in_ocsp_request(false); });
 
   // Disable the callback at this point so we don't loop continuously
-  session_->state_->cert_enabled = 0;
+  session_->state_->ocsp_enabled = 0;
 
   if (context) {
     int err = crypto::UseSNIContext(ssl_, context);
@@ -1064,6 +1067,9 @@ int QuicCryptoContext::OnTLSStatus() {
       return SSL_TLSEXT_ERR_OK;
     }
     case NGTCP2_CRYPTO_SIDE_CLIENT: {
+      // Only invoke the callback if the ocsp handler is actually set
+      if (LIKELY(session_->state_->ocsp_enabled == 0))
+        return 1;
       Local<Value> res;
       if (ocsp_response().ToLocal(&res))
         session_->listener()->OnOCSP(res);
diff --git a/src/quic/node_quic_session.h b/src/quic/node_quic_session.h
index ee268519a972e5..2a034b8c24c5a9 100644
--- a/src/quic/node_quic_session.h
+++ b/src/quic/node_quic_session.h
@@ -147,7 +147,7 @@ enum QuicClientSessionOptions : uint32_t {
 #define QUICSESSION_SHARED_STATE(V)                                            \
   V(KEYLOG_ENABLED, keylog_enabled, uint8_t)                                   \
   V(CLIENT_HELLO_ENABLED, client_hello_enabled, uint8_t)                       \
-  V(CERT_ENABLED, cert_enabled, uint8_t)                                       \
+  V(OCSP_ENABLED, ocsp_enabled, uint8_t)                                       \
   V(PATH_VALIDATED_ENABLED, path_validated_enabled, uint8_t)                   \
   V(USE_PREFERRED_ADDRESS_ENABLED, use_preferred_address_enabled, uint8_t)     \
   V(HANDSHAKE_CONFIRMED, handshake_confirmed, uint8_t)                         \
diff --git a/test/parallel/test-quic-client-server.js b/test/parallel/test-quic-client-server.js
index 6574d734947262..2777fb7c113958 100644
--- a/test/parallel/test-quic-client-server.js
+++ b/test/parallel/test-quic-client-server.js
@@ -44,7 +44,42 @@ const unidata = ['I wonder if it worked.', 'test'];
 const kServerName = 'agent2';  // Intentionally the wrong servername
 const kALPN = 'zzz';  // ALPN can be overriden to whatever we want
 
-const options = { key, cert, ca, alpn: kALPN, qlog };
+const {
+  setImmediate: setImmediatePromise
+} = require('timers/promises');
+
+const ocspHandler = common.mustCall(async function(type, options) {
+  debug(`QuicClientSession received an OCSP ${type}"`);
+  switch (type) {
+    case 'request':
+      const {
+        servername,
+        context
+      } = options;
+
+      assert.strictEqual(servername, kServerName);
+
+      // This will be a SecureContext. By default it will
+      // be the SecureContext used to create the QuicSession.
+      // If the user wishes to do something with it, it can,
+      // but if it wishes to pass in a new SecureContext,
+      // it can pass it in as the second argument to the
+      // callback below.
+      assert(context);
+      debug('QuicServerSession Certificate: ', context.getCertificate());
+      debug('QuicServerSession Issuer: ', context.getIssuer());
+
+      // Handshake will pause until the Promise resolves
+      await setImmediatePromise();
+
+      return { data: Buffer.from('hello') };
+    case 'response':
+      const { data } = options;
+      assert.strictEqual(data.toString(), 'hello');
+  }
+}, 2);
+
+const options = { key, cert, ca, alpn: kALPN, qlog, ocspHandler };
 
 const client = createQuicSocket({ qlog, client: options });
 const server = createQuicSocket({
@@ -109,32 +144,6 @@ client.on('close', common.mustCall(onSocketClose.bind(client)));
         cb();
       }));
 
-    session.on('OCSPRequest', common.mustCall((servername, context, cb) => {
-      debug('QuicServerSession received a OCSP request');
-      assert.strictEqual(servername, kServerName);
-
-      // This will be a SecureContext. By default it will
-      // be the SecureContext used to create the QuicSession.
-      // If the user wishes to do something with it, it can,
-      // but if it wishes to pass in a new SecureContext,
-      // it can pass it in as the second argument to the
-      // callback below.
-      assert(context);
-      debug('QuicServerSession Certificate: ', context.getCertificate());
-      debug('QuicServerSession Issuer: ', context.getIssuer());
-
-      // The callback can be invoked asynchronously
-      setImmediate(() => {
-        // The first argument is a potential error,
-        // in which case the session will be destroyed
-        // immediately.
-        // The second is an optional new SecureContext
-        // The third is the ocsp response.
-        // All arguments are optional
-        cb(null, null, Buffer.from('hello'));
-      });
-    }));
-
     session.on('secure', common.mustCall((servername, alpn, cipher) => {
       debug('QuicServerSession TLS Handshake Complete');
       debug('  Server name: %s', servername);
@@ -255,7 +264,6 @@ client.on('close', common.mustCall(onSocketClose.bind(client)));
     address: 'localhost',
     port: endpoint.address.port,
     servername: kServerName,
-    requestOCSP: true,
   });
   if (qlog) req.qlog.pipe(createWriteStream('client.qlog'));
 
@@ -263,11 +271,6 @@ client.on('close', common.mustCall(onSocketClose.bind(client)));
 
   req.on('usePreferredAddress', common.mustNotCall());
 
-  req.on('OCSPResponse', common.mustCall((response) => {
-    debug(`QuicClientSession OCSP response: "${response.toString()}"`);
-    assert.strictEqual(response.toString(), 'hello');
-  }));
-
   req.on('sessionTicket', common.mustCall((ticket, params) => {
     debug('Session ticket received');
     assert(ticket instanceof Buffer);
diff --git a/test/parallel/test-quic-errors-quicsocket-connect.js b/test/parallel/test-quic-errors-quicsocket-connect.js
index 44ae763aa53656..e9aba4b0ce588c 100644
--- a/test/parallel/test-quic-errors-quicsocket-connect.js
+++ b/test/parallel/test-quic-errors-quicsocket-connect.js
@@ -142,8 +142,8 @@ const client = createQuicSocket();
     });
   }));
 
-  await Promise.all([1, 1n, 'test', [], {}].map((requestOCSP) => {
-    return assert.rejects(client.connect({ requestOCSP }), {
+  await Promise.all([1, 1n, 'test', [], {}].map((ocspHandler) => {
+    return assert.rejects(client.connect({ ocspHandler }), {
       code: 'ERR_INVALID_ARG_TYPE'
     });
   }));