diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2016-11-02 15:18:43 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2016-11-02 15:18:43 +0000 |
| commit | f8cf67d846573a981124a33cef8a510b7ccd50e8 (patch) | |
| tree | 26965b83fc5c416e9409a1898b6883d20aa73274 /usr.bin/nc/netcat.c | |
| parent | 7b5e710427f493441c7c1fbbd18418101fb6f779 (diff) | |
Add OCSP client side support to libtls.
- Provide access to certificate OCSP URL
- Provide ability to check a raw OCSP reply against an
established TLS ctx
- Check and validate OCSP stapling info in the TLS handshake
if a stapled OCSP response is provided.`
Add example code to show OCSP URL and stapled info
into netcat.
ok jsing@
Diffstat (limited to 'usr.bin/nc/netcat.c')
| -rw-r--r-- | usr.bin/nc/netcat.c | 38 |
1 files changed, 37 insertions, 1 deletions
diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c index 3af7d503748..64e77a8b528 100644 --- a/usr.bin/nc/netcat.c +++ b/usr.bin/nc/netcat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: netcat.c,v 1.163 2016/09/03 17:35:34 bcook Exp $ */ +/* $OpenBSD: netcat.c,v 1.164 2016/11/02 15:18:42 beck Exp $ */ /* * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> * Copyright (c) 2015 Bob Beck. All rights reserved. @@ -1518,6 +1518,8 @@ void report_tls(struct tls * tls_ctx, char * host, char *tls_expectname) { time_t t; + const char *ocsp_url; + fprintf(stderr, "TLS handshake negotiated %s/%s with host %s\n", tls_conn_version(tls_ctx), tls_conn_cipher(tls_ctx), host); fprintf(stderr, "Peer name: %s\n", @@ -1535,6 +1537,40 @@ report_tls(struct tls * tls_ctx, char * host, char *tls_expectname) if (tls_peer_cert_hash(tls_ctx)) fprintf(stderr, "Cert Hash: %s\n", tls_peer_cert_hash(tls_ctx)); + ocsp_url = tls_peer_ocsp_url(tls_ctx); + fprintf(stderr, "OCSP URL: %s\n", ocsp_url == NULL ? "" : ocsp_url); + fprintf(stderr, "OCSP Stapling:"); + switch (tls_peer_ocsp_response_status(tls_ctx)) { + case TLS_OCSP_RESPONSE_SUCCESSFUL: + fprintf(stderr, " %s\n", + tls_peer_ocsp_result(tls_ctx) == NULL ? "" : + tls_peer_ocsp_result(tls_ctx)); + fprintf(stderr, + " response_status=%d cert_status=%d crl_reason=%d\n", + tls_peer_ocsp_response_status(tls_ctx), + tls_peer_ocsp_cert_status(tls_ctx), + tls_peer_ocsp_crl_reason(tls_ctx)); + t = tls_peer_ocsp_this_update(tls_ctx); + fprintf(stderr, " this update: %s", + t != -1 ? ctime(&t) : "\n"); + t = tls_peer_ocsp_next_update(tls_ctx); + fprintf(stderr, " next update: %s", + t != -1 ? ctime(&t) : "\n"); + t = tls_peer_ocsp_revocation_time(tls_ctx); + fprintf(stderr, " revocation: %s", + t != -1 ? ctime(&t) : "\n"); + break; + case -1: + fprintf(stderr, "\n"); + break; + default: + fprintf(stderr, " failure - response_status %d (%s)\n", + tls_peer_ocsp_response_status(tls_ctx), + tls_peer_ocsp_result(tls_ctx) == NULL ? "" : + tls_peer_ocsp_result(tls_ctx)); + break; + + } } void |