commit - ebf3373d66fba1ff5fbfd822edefd83cc50a7630
commit + ea47a245aa0702a719e4e56b2c2a7a29bff526a4
blob - acda5da3a1af327595cec18b5761df584bd8fc4d
blob + 68f3749376dc40cc97bf3422cb2761f2e1a192fe
--- regress/gg.1
+++ regress/gg.1
@@ -20,7 +20,7 @@
 .Sh SYNOPSIS
 .Nm
 .Bk -words
-.Op Fl 23bchNVv
+.Op Fl 23bchNOVv
 .Op Fl C Pa cert.pem Fl K Pa key.pem
 .Op Fl H Ar hostname
 .Op Fl T Ar timeout
@@ -55,6 +55,9 @@ Load the client certificate key, must be in PEM format
 .It Fl N
 Don't check whether the peer certificate name matches the requested
 hostname.
+.It Fl O
+Require that a valid stapled OCSP response be provided during the TLS
+handshake.
 .It Fl T Ar timeout
 Kill
 .Nm
blob - 5537c68eec8de396ddc247ac2c6af97fd8e47a92
blob + 36efa51012779de897c5122e9398def47354ebcb
--- regress/gg.c
+++ regress/gg.c
@@ -18,7 +18,7 @@
 
 #include <string.h>
 
-int flag2, flag3, bflag, cflag, hflag, Nflag, Vflag, vflag;
+int flag2, flag3, bflag, cflag, hflag, Nflag, Oflag, Vflag, vflag;
 const char *cert, *key;
 
 static void
@@ -42,7 +42,7 @@ main(int argc, char **argv)
 	ssize_t len;
 
 	hostname = NULL;
-	while ((ch = getopt(argc, argv, "23C:cbH:hK:NT:Vv")) != -1) {
+	while ((ch = getopt(argc, argv, "23C:cbH:hK:NOT:Vv")) != -1) {
 		switch (ch) {
 		case '2':
 			flag2 = 1;
@@ -71,6 +71,9 @@ main(int argc, char **argv)
 		case 'N':
 			Nflag = 1;
 			break;
+		case 'O':
+			Oflag = 1;
+			break;
 		case 'T':
 			timer = strtonum(optarg, 1, 1000, &errstr);
 			if (errstr != NULL)
@@ -125,6 +128,9 @@ main(int argc, char **argv)
 	if (Nflag)
 		tls_config_insecure_noverifyname(conf);
 
+	if (Oflag)
+		tls_config_ocsp_require_stapling(conf);
+
 	if (flag2 && tls_config_set_protocols(conf, TLS_PROTOCOL_TLSv1_2) == -1)
 		errx(1, "cannot set TLSv1.2");
 	if (flag3 && tls_config_set_protocols(conf, TLS_PROTOCOL_TLSv1_3) == -1)