diff options
| author |   beck <beck@openbsd.org> | 2016-11-02 15:18:42 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2016-11-02 15:18:42 +0000 |
| commit | 2dc6b4e4bea94e3efa098d1c718af993a0a863d8 (patch) | |
| tree | a1b395678f389813828b6ac267879c15b745413c /usr.bin/nc/netcat.c | |
| parent | Make an empty state on error rather than leaving something partially (diff) | |
| download | wireguard-openbsd-2dc6b4e4bea94e3efa098d1c718af993a0a863d8.tar.xz wireguard-openbsd-2dc6b4e4bea94e3efa098d1c718af993a0a863d8.zip | |
Add OCSP client side support to libtls.
- Provide access to certificate OCSP URL
- Provide ability to check a raw OCSP reply against an
established TLS ctx
- Check and validate OCSP stapling info in the TLS handshake
if a stapled OCSP response is provided.`
Add example code to show OCSP URL and stapled info
into netcat.
ok jsing@
Diffstat (limited to '')
| -rw-r--r-- | usr.bin/nc/netcat.c | 38 |
1 files changed, 37 insertions, 1 deletions
diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c index 3af7d503748..64e77a8b528 100644 --- a/usr.bin/nc/netcat.c +++ b/usr.bin/nc/netcat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: netcat.c,v 1.163 2016/09/03 17:35:34 bcook Exp $ */ +/* $OpenBSD: netcat.c,v 1.164 2016/11/02 15:18:42 beck Exp $ */ /* * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> * Copyright (c) 2015 Bob Beck. All rights reserved. @@ -1518,6 +1518,8 @@ void report_tls(struct tls * tls_ctx, char * host, char *tls_expectname) { time_t t; + const char *ocsp_url; + fprintf(stderr, "TLS handshake negotiated %s/%s with host %s\n", tls_conn_version(tls_ctx), tls_conn_cipher(tls_ctx), host); fprintf(stderr, "Peer name: %s\n", @@ -1535,6 +1537,40 @@ report_tls(struct tls * tls_ctx, char * host, char *tls_expectname) if (tls_peer_cert_hash(tls_ctx)) fprintf(stderr, "Cert Hash: %s\n", tls_peer_cert_hash(tls_ctx)); + ocsp_url = tls_peer_ocsp_url(tls_ctx); + fprintf(stderr, "OCSP URL: %s\n", ocsp_url == NULL ? "" : ocsp_url); + fprintf(stderr, "OCSP Stapling:"); + switch (tls_peer_ocsp_response_status(tls_ctx)) { + case TLS_OCSP_RESPONSE_SUCCESSFUL: + fprintf(stderr, " %s\n", + tls_peer_ocsp_result(tls_ctx) == NULL ? "" : + tls_peer_ocsp_result(tls_ctx)); + fprintf(stderr, + " response_status=%d cert_status=%d crl_reason=%d\n", + tls_peer_ocsp_response_status(tls_ctx), + tls_peer_ocsp_cert_status(tls_ctx), + tls_peer_ocsp_crl_reason(tls_ctx)); + t = tls_peer_ocsp_this_update(tls_ctx); + fprintf(stderr, " this update: %s", + t != -1 ? ctime(&t) : "\n"); + t = tls_peer_ocsp_next_update(tls_ctx); + fprintf(stderr, " next update: %s", + t != -1 ? ctime(&t) : "\n"); + t = tls_peer_ocsp_revocation_time(tls_ctx); + fprintf(stderr, " revocation: %s", + t != -1 ? ctime(&t) : "\n"); + break; + case -1: + fprintf(stderr, "\n"); + break; + default: + fprintf(stderr, " failure - response_status %d (%s)\n", + tls_peer_ocsp_response_status(tls_ctx), + tls_peer_ocsp_result(tls_ctx) == NULL ? "" : + tls_peer_ocsp_result(tls_ctx)); + break; + + } } void |