From dfcc608101125b045153abb36d8b26d283aeb812 Mon Sep 17 00:00:00 2001 From: beck <> Date: Fri, 4 Nov 2016 05:13:13 +0000 Subject: Add ocsp_require_stapling config option for tls - allows a connection to indicate that it requires the peer to provide a stapled OCSP response with the handshake. Provide a "-T muststaple" for nc that uses it. ok jsing@, guenther@ --- src/lib/libtls/tls_init.3 | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'src/lib/libtls/tls_init.3') diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index d0b6292b4a..88195deb2e 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.76 2016/11/03 12:54:16 beck Exp $ +.\" $OpenBSD: tls_init.3,v 1.77 2016/11/04 05:13:13 beck Exp $ .\" .\" Copyright (c) 2014 Ted Unangst .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 3 2016 $ +.Dd $Mdocdate: November 4 2016 $ .Dt TLS_INIT 3 .Os .Sh NAME @@ -47,6 +47,7 @@ .Nm tls_config_insecure_noverifycert , .Nm tls_config_insecure_noverifyname , .Nm tls_config_insecure_noverifytime , +.Nm tls_config_ocsp_require_stapling , .Nm tls_config_verify , .Nm tls_config_verify_client , .Nm tls_config_verify_client_optional , @@ -150,6 +151,8 @@ .Ft "void" .Fn tls_config_insecure_noverifytime "struct tls_config *config" .Ft "void" +.Fn tls_config_ocsp_require_stapling "struct tls_config *config" +.Ft "void" .Fn tls_config_verify "struct tls_config *config" .Ft "void" .Fn tls_config_verify_client "struct tls_config *config" @@ -456,6 +459,9 @@ Be careful when using this option. disables validity checking of certificates and OCSP validation. Be careful when using this option. .It +.Fn tls_config_ocsp_require_stapling +requires that a valid stapled OCSP response be provided during the TLS handshake. +.It .Fn tls_config_verify reenables server name and certificate verification. .It -- cgit v1.2.3-55-g6feb