On Fri, Jul 08, 2016 at 07:20:32PM -0600, Bob Beck wrote: > One thing I am considering here (and for y'all to know, this is a > major API addition and won't > go in until after the soon upcoming openbsd release cycle happens). is > that the way > we have done this in the past with libtls is to just - do the thing in > the handshake and keep > the data hidden in the (private) conn_info stucture and then > accessible to the user via a > tls_ funciton call. > > What strikes me as the most sensible thing to do for staping is to > just do it in the handshake, > and then record the status is the conn_info.. So if stapling is > provided the handshake succeeds > if the stapled response checks out, fails if it does not with a > reason, and if it is not present or > the certifiacat status is indeterminate we then have any designated > ocsp responders from the > certificate available to the application to then go make their own > ocsp calls directly.
That is what the patch is about - after handshake client can call tls_get_ocsp_info() to see if OCSP stapling was in use. The responder request stuff is mainly necessary for server to update it's stapled response. But it's also possible to check peer cert via OCSP as it's basically same code. -- marko
