Add support for server side OCSP stapling to libtls.

Add support for server side OCSP stapling to netcat.
author: beck <> 2016-11-05 15:13:26 +0000
committer: beck <> 2016-11-05 15:13:26 +0000
commit: e11dddc2de1dbf045d34adf894146594aded7e8d (patch)
tree: 539491edf35461b59c4b7f94d33635fed5473983 /src/usr.bin
parent: 464dd6c7ce174b2e5a477e2359d33ac3740c1482 (diff)
download: openbsd-e11dddc2de1dbf045d34adf894146594aded7e8d.tar.gz
openbsd-e11dddc2de1dbf045d34adf894146594aded7e8d.tar.bz2
openbsd-e11dddc2de1dbf045d34adf894146594aded7e8d.zip
2 files changed, 19 insertions, 4 deletions
diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1
index 8c7790f72a..2dda57af92 100644
--- a/src/usr.bin/nc/nc.1
+++ b/src/usr.bin/nc/nc.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: nc.1,v 1.76 2016/11/04 07:34:17 jmc Exp $
+.\"     $OpenBSD: nc.1,v 1.77 2016/11/05 15:13:26 beck Exp $
 .\"
 .\" Copyright (c) 1996 David Sacerdote
 .\" All rights reserved.
@@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 4 2016 $
+.Dd $Mdocdate: November 5 2016 $
 .Dt NC 1
 .Os
 .Sh NAME
@@ -43,6 +43,7 @@
 .Op Fl M Ar ttl
 .Op Fl m Ar minttl
 .Op Fl O Ar length
+.Op Fl o Ar staplefile
 .Op Fl P Ar proxy_username
 .Op Fl p Ar source_port
 .Op Fl R Ar CAfile
@@ -187,6 +188,12 @@ Do not do any DNS or service lookups on any specified addresses,
 hostnames or ports.
 .It Fl O Ar length
 Specifies the size of the TCP send buffer.
+.It Fl o Ar staplefile
+Specifies the filename from which to load data to be stapled
+during the TLS handshake.
+The file is expected to contain an OSCP response from an OCSP server in 
+DER format. 
+May only be used with TLS and when a certificate is being used.
 .It Fl P Ar proxy_username
 Specifies a username to present to a proxy server that requires authentication.
 If no username is specified then authentication will not be attempted.
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index b71c0426dc..4a841fb96d 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.167 2016/11/04 05:13:13 beck Exp $ */
+/* $OpenBSD: netcat.c,v 1.168 2016/11/05 15:13:26 beck Exp $ */
 /*
 * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
 * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -100,6 +100,7 @@ int	rtableid = -1;
 int     usetls;                                 /* use TLS */
 char    *Cflag;                                 /* Public cert file */
 char    *Kflag;                                 /* Private key file */
+char    *oflag;                                 /* OCSP stapling file */
 char    *Rflag = DEFAULT_CA_FILE;               /* Root CA file */
 int     tls_cachanged;                          /* Using non-default CA file */
 int     TLSopt;                                 /* TLS options */
@@ -163,7 +164,7 @@ main(int argc, char *argv[])
        signal(SIGPIPE, SIG_IGN);
        while ((ch = getopt(argc, argv,
-            "46C:cDde:FH:hI:i:K:klM:m:NnO:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) {
+            "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) {
                switch (ch) {
                case '4':
                        family = AF_INET;
@@ -295,6 +296,9 @@ main(int argc, char *argv[])
                                errx(1, "TCP send window %s: %s",
                                    errstr, optarg);
                        break;
+                case 'o':
+                        oflag = optarg;
+                        break;
                case 'S':
                        Sflag = 1;
                        break;
@@ -380,6 +384,8 @@ main(int argc, char *argv[])
                errx(1, "you must specify -c to use -C");
        if (Kflag && !usetls)
                errx(1, "you must specify -c to use -K");
+        if (oflag && !Cflag)
+                errx(1, "you must specify -C to use -o");
        if (tls_cachanged && !usetls)
                errx(1, "you must specify -c to use -R");
        if (tls_expecthash && !usetls)
@@ -455,6 +461,8 @@ main(int argc, char *argv[])
                        errx(1, "%s", tls_config_error(tls_cfg));
                if (Kflag && tls_config_set_key_file(tls_cfg, Kflag) == -1)
                        errx(1, "%s", tls_config_error(tls_cfg));
+                if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1)
+                        errx(1, "%s", tls_config_error(tls_cfg));
                if (TLSopt & TLS_LEGACY) {
                        tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL);
                        tls_config_set_ciphers(tls_cfg, "all");
author	beck <>	2016-11-05 15:13:26 +0000
committer	beck <>	2016-11-05 15:13:26 +0000
commit	e11dddc2de1dbf045d34adf894146594aded7e8d (patch)
tree	539491edf35461b59c4b7f94d33635fed5473983 /src/usr.bin
parent	464dd6c7ce174b2e5a477e2359d33ac3740c1482 (diff)
download	openbsd-e11dddc2de1dbf045d34adf894146594aded7e8d.tar.gz openbsd-e11dddc2de1dbf045d34adf894146594aded7e8d.tar.bz2 openbsd-e11dddc2de1dbf045d34adf894146594aded7e8d.zip