commit ea47a245aa0702a719e4e56b2c2a7a29bff526a4 from: Omar Polo date: Thu Dec 09 18:51:02 2021 UTC add ocs stapling checking for gg commit - ebf3373d66fba1ff5fbfd822edefd83cc50a7630 commit + ea47a245aa0702a719e4e56b2c2a7a29bff526a4 blob - acda5da3a1af327595cec18b5761df584bd8fc4d blob + 68f3749376dc40cc97bf3422cb2761f2e1a192fe --- regress/gg.1 +++ regress/gg.1 @@ -20,7 +20,7 @@ .Sh SYNOPSIS .Nm .Bk -words -.Op Fl 23bchNVv +.Op Fl 23bchNOVv .Op Fl C Pa cert.pem Fl K Pa key.pem .Op Fl H Ar hostname .Op Fl T Ar timeout @@ -55,6 +55,9 @@ Load the client certificate key, must be in PEM format .It Fl N Don't check whether the peer certificate name matches the requested hostname. +.It Fl O +Require that a valid stapled OCSP response be provided during the TLS +handshake. .It Fl T Ar timeout Kill .Nm blob - 5537c68eec8de396ddc247ac2c6af97fd8e47a92 blob + 36efa51012779de897c5122e9398def47354ebcb --- regress/gg.c +++ regress/gg.c @@ -18,7 +18,7 @@ #include -int flag2, flag3, bflag, cflag, hflag, Nflag, Vflag, vflag; +int flag2, flag3, bflag, cflag, hflag, Nflag, Oflag, Vflag, vflag; const char *cert, *key; static void @@ -42,7 +42,7 @@ main(int argc, char **argv) ssize_t len; hostname = NULL; - while ((ch = getopt(argc, argv, "23C:cbH:hK:NT:Vv")) != -1) { + while ((ch = getopt(argc, argv, "23C:cbH:hK:NOT:Vv")) != -1) { switch (ch) { case '2': flag2 = 1; @@ -71,6 +71,9 @@ main(int argc, char **argv) case 'N': Nflag = 1; break; + case 'O': + Oflag = 1; + break; case 'T': timer = strtonum(optarg, 1, 1000, &errstr); if (errstr != NULL) @@ -125,6 +128,9 @@ main(int argc, char **argv) if (Nflag) tls_config_insecure_noverifyname(conf); + if (Oflag) + tls_config_ocsp_require_stapling(conf); + if (flag2 && tls_config_set_protocols(conf, TLS_PROTOCOL_TLSv1_2) == -1) errx(1, "cannot set TLSv1.2"); if (flag3 && tls_config_set_protocols(conf, TLS_PROTOCOL_TLSv1_3) == -1)