Add support for OCSP stapling

Many thanks to Bruno Flueckiger who independently sent a very similar
patch.  He also tested the one I'm committing that it works as
expected.

OK tb@

1 files changed, 12 insertions, 2 deletions

diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5
index 9421661e8bc..e5c8fa97df6 100644
--- a/usr.sbin/relayd/relayd.conf.5
+++ b/usr.sbin/relayd/relayd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: relayd.conf.5,v 1.190 2019/05/31 15:25:57 reyk Exp $
+.\"	$OpenBSD: relayd.conf.5,v 1.191 2019/06/26 12:13:47 reyk Exp $
 .\"
 .\" Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
 .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 31 2019 $
+.Dd $Mdocdate: June 26 2019 $
 .Dt RELAYD.CONF 5
 .Os
 .Sh NAME
@@ -965,6 +965,15 @@ a keypair will be loaded using the specified IP address of the relay as
 See
 .Xr ssl 8
 for details about SSL/TLS server certificates.
+.Pp
+An optional OCSP staple file will be used during TLS handshakes with
+this server if it is found as a non-empty file in
+.Pa /etc/ssl/name:port.ocsp
+or
+.Pa /etc/ssl/name.ocsp .
+The file should contain a DER-format OCSP response retrieved from an
+OCSP server for the certificate in use, and can be created using
+.Xr ocspcheck 8 .
 .It Ic no cipher-server-preference
 Prefer the client's cipher list over the server's preferences when
 choosing a cipher for the connection.
@@ -1594,6 +1603,7 @@ router "uplinks" {
 }
 .Ed
 .Sh SEE ALSO
+.Xr ocspcheck 8 ,
 .Xr relayctl 8 ,
 .Xr relayd 8 ,
 .Xr snmpd 8 ,