| Index: third_party/tlslite/tlslite/TLSConnection.py
|
| diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py
|
| index e6ce1870de4781f627dc761c517f735f2ff5da99..0c6b18f3360064f26601d15701e91cf5eeed4c46 100644
|
| --- a/third_party/tlslite/tlslite/TLSConnection.py
|
| +++ b/third_party/tlslite/tlslite/TLSConnection.py
|
| @@ -938,7 +938,8 @@ class TLSConnection(TLSRecordLayer):
|
| sessionCache=None, settings=None, checker=None,
|
| reqCAs=None, tlsIntolerant=0,
|
| signedCertTimestamps=None,
|
| - fallbackSCSV=False):
|
| + fallbackSCSV=False,
|
| + ocspResponse=None):
|
| """Perform a handshake in the role of server.
|
|
|
| This function performs an SSL or TLS handshake. Depending on
|
| @@ -1014,6 +1015,16 @@ class TLSConnection(TLSRecordLayer):
|
| binary 8-bit string) that will be sent as a TLS extension whenever
|
| the client announces support for the extension.
|
|
|
| + @type ocspResponse: str
|
| + @param ocspResponse: An OCSP response (as a binary 8-bit string) that
|
| + will be sent stapled in the handshake whenever the client announces
|
| + support for the status_request extension.
|
| + Note that the response is sent independent of the ClientHello
|
| + status_request extension contents, and is thus only meant for testing
|
| + environments. Real OCSP stapling is more complicated as it requires
|
| + choosing a suitable response based on the ClientHello status_request
|
| + extension contents.
|
| +
|
| @raise socket.error: If a socket error occurs.
|
| @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
|
| without a preceding alert.
|
| @@ -1024,7 +1035,7 @@ class TLSConnection(TLSRecordLayer):
|
| for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
|
| certChain, privateKey, reqCert, sessionCache, settings,
|
| checker, reqCAs, tlsIntolerant, signedCertTimestamps,
|
| - fallbackSCSV):
|
| + fallbackSCSV, ocspResponse):
|
| pass
|
|
|
|
|
| @@ -1033,7 +1044,7 @@ class TLSConnection(TLSRecordLayer):
|
| sessionCache=None, settings=None, checker=None,
|
| reqCAs=None, tlsIntolerant=0,
|
| signedCertTimestamps=None,
|
| - fallbackSCSV=False):
|
| + fallbackSCSV=False, ocspResponse=None):
|
| """Start a server handshake operation on the TLS connection.
|
|
|
| This function returns a generator which behaves similarly to
|
| @@ -1053,7 +1064,7 @@ class TLSConnection(TLSRecordLayer):
|
| reqCAs=reqCAs,
|
| tlsIntolerant=tlsIntolerant,
|
| signedCertTimestamps=signedCertTimestamps,
|
| - fallbackSCSV=fallbackSCSV)
|
| + fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse)
|
| for result in self._handshakeWrapperAsync(handshaker, checker):
|
| yield result
|
|
|
| @@ -1062,8 +1073,7 @@ class TLSConnection(TLSRecordLayer):
|
| certChain, privateKey, reqCert,
|
| sessionCache, settings, reqCAs,
|
| tlsIntolerant, signedCertTimestamps,
|
| - fallbackSCSV):
|
| -
|
| + fallbackSCSV, ocspResponse):
|
| self._handshakeStart(client=False)
|
|
|
| if (not sharedKeyDB) and (not verifierDB) and (not certChain):
|
| @@ -1439,10 +1449,14 @@ class TLSConnection(TLSRecordLayer):
|
| sessionID, cipherSuite, certificateType)
|
| serverHello.channel_id = clientHello.channel_id
|
| if clientHello.support_signed_cert_timestamps:
|
| - serverHello.signed_cert_timestamps = signedCertTimestamps
|
| + serverHello.signed_cert_timestamps = signedCertTimestamps
|
| + serverHello.status_request = (clientHello.status_request and
|
| + ocspResponse)
|
| doingChannelID = clientHello.channel_id
|
| msgs.append(serverHello)
|
| msgs.append(Certificate(certificateType).create(serverCertChain))
|
| + if serverHello.status_request:
|
| + msgs.append(CertificateStatus().create(ocspResponse))
|
| if reqCert and reqCAs:
|
| msgs.append(CertificateRequest().create([], reqCAs))
|
| elif reqCert:
|
|
|
Chromium Code Reviews
