diff options
| author | beck <> | 2016-11-04 05:13:13 +0000 |
|---|---|---|
| committer | beck <> | 2016-11-04 05:13:13 +0000 |
| commit | 75d6d2ca7daaedc9ebe7930439f3c31b2fbf5f60 (patch) | |
| tree | beb66ed0e210e9dcdda1ae81df9eaf1ac13b84b6 /src/lib/libtls/tls_ocsp.c | |
| parent | 634ebace8103bf766f556cfe3aefdcdc5974a402 (diff) | |
| download | openbsd-75d6d2ca7daaedc9ebe7930439f3c31b2fbf5f60.tar.gz openbsd-75d6d2ca7daaedc9ebe7930439f3c31b2fbf5f60.tar.bz2 openbsd-75d6d2ca7daaedc9ebe7930439f3c31b2fbf5f60.zip | |
Add ocsp_require_stapling config option for tls - allows a connection
to indicate that it requires the peer to provide a stapled OCSP response
with the handshake. Provide a "-T muststaple" for nc that uses it.
ok jsing@, guenther@
Diffstat (limited to 'src/lib/libtls/tls_ocsp.c')
| -rw-r--r-- | src/lib/libtls/tls_ocsp.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index aa085bd245..af65771f7c 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c | |||
| @@ -304,8 +304,13 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg) | |||
| 304 | return -1; | 304 | return -1; |
| 305 | 305 | ||
| 306 | size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw); | 306 | size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw); |
| 307 | if (size <= 0) | 307 | if (size <= 0) { |
| 308 | if (ctx->config->ocsp_require_stapling) { | ||
| 309 | tls_set_errorx(ctx, "no stapled OCSP response provided"); | ||
| 310 | return 0; | ||
| 311 | } | ||
| 308 | return 1; | 312 | return 1; |
| 313 | } | ||
| 309 | 314 | ||
| 310 | tls_ocsp_ctx_free(ctx->ocsp_ctx); | 315 | tls_ocsp_ctx_free(ctx->ocsp_ctx); |
| 311 | ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx); | 316 | ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx); |