From 8cc868305fe197edb9f01ce424e355d76be91b22 Mon Sep 17 00:00:00 2001 From: beck <> Date: Wed, 2 Nov 2016 15:18:42 +0000 Subject: Add OCSP client side support to libtls. - Provide access to certificate OCSP URL - Provide ability to check a raw OCSP reply against an established TLS ctx - Check and validate OCSP stapling info in the TLS handshake if a stapled OCSP response is provided.` Add example code to show OCSP URL and stapled info into netcat. ok jsing@ --- src/lib/libtls/tls_client.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'src/lib/libtls/tls_client.c') diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c index a1bceb7d97..84f4e91740 100644 --- a/src/lib/libtls/tls_client.c +++ b/src/lib/libtls/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.36 2016/09/04 13:20:56 jsing Exp $ */ +/* $OpenBSD: tls_client.c,v 1.37 2016/11/02 15:18:42 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -200,6 +200,11 @@ tls_connect_common(struct tls *ctx, const char *servername) SSL_VERIFY_PEER) == -1)) goto err; + if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 1) { + tls_set_errorx(ctx, "ssl OCSP verification setup failure"); + goto err; + } + if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { tls_set_errorx(ctx, "ssl connection failure"); goto err; @@ -210,6 +215,11 @@ tls_connect_common(struct tls *ctx, const char *servername) goto err; } + if (SSL_set_tlsext_status_type(ctx->ssl_conn, TLSEXT_STATUSTYPE_ocsp) != 1) { + tls_set_errorx(ctx, "ssl OCSP extension setup failure"); + goto err; + } + /* * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not * permitted in "HostName". -- cgit v1.2.3-55-g6feb