Client-side OCSP stapling support. Remove the old implementation which was excessively general. This mirrors the SCT support and adds a single boolean flag to request an OCSP response with no responder IDs, extensions, or frills. The response, if received, is stored on the SSL_SESSION so that it is available for (re)validation on session resumption; Chromium revalidates the saved auth parameters on resume. Server support is unimplemented for now. This API will also need to be adjusted in the future if we implement RFC 6961. Change-Id: I533c029b7f7ea622d814d05f934fdace2da85cb1 Reviewed-on: https://boringssl-review.googlesource.com/1671 Reviewed-by: Adam Langley <agl@google.com>

commit: 6c7aed048ca0a335e02dfee10976c5dc8620783e [log] [tgz]
author: David Benjamin <davidben@chromium.org> Wed Aug 27 16:42:38 2014 -0400
committer: Adam Langley <agl@google.com> Fri Aug 29 00:39:33 2014 +0000
tree: afdad4ea0491a082ff6a3bc4f2acb934af88124e
parent: e098ec2460c12e7061f3584086d75dd72eb4c5c9 [diff] [blame]
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index 2e9b8cc..44f9367 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h

@@ -469,6 +469,11 @@
 		/* Server-only: cert_request is true if a client certificate was
 		 * requested. */
 		int cert_request;
+
+		/* certificate_status_expected is true if OCSP stapling was
+		 * negotiated and the server is expected to send a
+		 * CertificateStatus message. */
+		char certificate_status_expected;
 		} tmp;
 
         /* Connection binding to prevent renegotiation attacks */
commit	6c7aed048ca0a335e02dfee10976c5dc8620783e	[log] [tgz]
author	David Benjamin <davidben@chromium.org>	Wed Aug 27 16:42:38 2014 -0400
committer	Adam Langley <agl@google.com>	Fri Aug 29 00:39:33 2014 +0000
tree	afdad4ea0491a082ff6a3bc4f2acb934af88124e
parent	e098ec2460c12e7061f3584086d75dd72eb4c5c9 [diff] [blame]