1 files changed, 11 insertions, 1 deletions

diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index a1bceb7d97..84f4e91740 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.36 2016/09/04 13:20:56 jsing Exp $ */
+/* $OpenBSD: tls_client.c,v 1.37 2016/11/02 15:18:42 beck Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -200,6 +200,11 @@ tls_connect_common(struct tls *ctx, const char *servername)
              SSL_VERIFY_PEER) == -1))
                 goto err;
 
+        if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 1) {
+                tls_set_errorx(ctx, "ssl OCSP verification setup failure");
+                goto err;
+        }
+
         if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
                 tls_set_errorx(ctx, "ssl connection failure");
                 goto err;
@@ -210,6 +215,11 @@ tls_connect_common(struct tls *ctx, const char *servername)
                 goto err;
         }
 
+        if (SSL_set_tlsext_status_type(ctx->ssl_conn, TLSEXT_STATUSTYPE_ocsp) != 1) {
+                tls_set_errorx(ctx, "ssl OCSP extension setup failure");
+                goto err;
+        }
+
         /*
          * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not
          * permitted in "HostName".