diff options
| author | beck <> | 2016-11-04 05:13:13 +0000 |
|---|---|---|
| committer | beck <> | 2016-11-04 05:13:13 +0000 |
| commit | dfcc608101125b045153abb36d8b26d283aeb812 (patch) | |
| tree | beb66ed0e210e9dcdda1ae81df9eaf1ac13b84b6 /src/lib/libtls/tls_ocsp.c | |
| parent | 85d1a393066ebc8950b3667cae2d5c9e9da47ed8 (diff) | |
| download | openbsd-dfcc608101125b045153abb36d8b26d283aeb812.tar.gz openbsd-dfcc608101125b045153abb36d8b26d283aeb812.tar.bz2 openbsd-dfcc608101125b045153abb36d8b26d283aeb812.zip | |
Add ocsp_require_stapling config option for tls - allows a connection
to indicate that it requires the peer to provide a stapled OCSP response
with the handshake. Provide a "-T muststaple" for nc that uses it.
ok jsing@, guenther@
Diffstat (limited to 'src/lib/libtls/tls_ocsp.c')
| -rw-r--r-- | src/lib/libtls/tls_ocsp.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index aa085bd245..af65771f7c 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c | |||
| @@ -304,8 +304,13 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg) | |||
| 304 | return -1; | 304 | return -1; |
| 305 | 305 | ||
| 306 | size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw); | 306 | size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw); |
| 307 | if (size <= 0) | 307 | if (size <= 0) { |
| 308 | if (ctx->config->ocsp_require_stapling) { | ||
| 309 | tls_set_errorx(ctx, "no stapled OCSP response provided"); | ||
| 310 | return 0; | ||
| 311 | } | ||
| 308 | return 1; | 312 | return 1; |
| 313 | } | ||
| 309 | 314 | ||
| 310 | tls_ocsp_ctx_free(ctx->ocsp_ctx); | 315 | tls_ocsp_ctx_free(ctx->ocsp_ctx); |
| 311 | ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx); | 316 | ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx); |