Index: third_party/tlslite/tlslite/TLSConnection.py |
diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py |
index d2270a995f036c0478345dacee7d9e95efd68660..fe2c86385e3b76282c16f4b776d6dc2379553638 100644 |
--- a/third_party/tlslite/tlslite/TLSConnection.py |
+++ b/third_party/tlslite/tlslite/TLSConnection.py |
@@ -937,7 +937,8 @@ class TLSConnection(TLSRecordLayer): |
certChain=None, privateKey=None, reqCert=False, |
sessionCache=None, settings=None, checker=None, |
reqCAs=None, tlsIntolerant=0, |
- signedCertTimestamps=None): |
+ signedCertTimestamps=None, |
+ ocspResponse=None): |
"""Perform a handshake in the role of server. |
This function performs an SSL or TLS handshake. Depending on |
@@ -1013,6 +1014,16 @@ class TLSConnection(TLSRecordLayer): |
binary 8-bit string) that will be sent as a TLS extension whenever |
the client announces support for the extension. |
+ @type ocspResponse: str |
+ @param ocspResponse: An OCSP response (as a binary 8-bit string) that |
+ will be sent stapled in the handshake whenever the client announces |
+ support for the status_request extension. |
+ Note that the response is sent independent of the ClientHello |
+ status_request extension contents, and is thus only meant for testing |
+ environments. Real OCSP stapling is more complicated as it requires |
+ choosing a suitable response based on the ClientHello status_request |
+ extension contents. |
+ |
@raise socket.error: If a socket error occurs. |
@raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
without a preceding alert. |
@@ -1022,7 +1033,8 @@ class TLSConnection(TLSRecordLayer): |
""" |
for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, |
certChain, privateKey, reqCert, sessionCache, settings, |
- checker, reqCAs, tlsIntolerant, signedCertTimestamps): |
+ checker, reqCAs, tlsIntolerant, signedCertTimestamps, |
+ ocspResponse): |
pass |
@@ -1030,7 +1042,8 @@ class TLSConnection(TLSRecordLayer): |
certChain=None, privateKey=None, reqCert=False, |
sessionCache=None, settings=None, checker=None, |
reqCAs=None, tlsIntolerant=0, |
- signedCertTimestamps=None): |
+ signedCertTimestamps=None, |
+ ocspResponse=None): |
"""Start a server handshake operation on the TLS connection. |
This function returns a generator which behaves similarly to |
@@ -1049,7 +1062,8 @@ class TLSConnection(TLSRecordLayer): |
sessionCache=sessionCache, settings=settings, |
reqCAs=reqCAs, |
tlsIntolerant=tlsIntolerant, |
- signedCertTimestamps=signedCertTimestamps) |
+ signedCertTimestamps=signedCertTimestamps, |
+ ocspResponse=ocspResponse) |
for result in self._handshakeWrapperAsync(handshaker, checker): |
yield result |
@@ -1057,7 +1071,8 @@ class TLSConnection(TLSRecordLayer): |
def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, |
certChain, privateKey, reqCert, |
sessionCache, settings, reqCAs, |
- tlsIntolerant, signedCertTimestamps): |
+ tlsIntolerant, signedCertTimestamps, |
+ ocspResponse): |
self._handshakeStart(client=False) |
@@ -1428,10 +1443,14 @@ class TLSConnection(TLSRecordLayer): |
sessionID, cipherSuite, certificateType) |
serverHello.channel_id = clientHello.channel_id |
if clientHello.support_signed_cert_timestamps: |
- serverHello.signed_cert_timestamps = signedCertTimestamps |
+ serverHello.signed_cert_timestamps = signedCertTimestamps |
+ serverHello.status_request = (clientHello.status_request and |
+ ocspResponse) |
doingChannelID = clientHello.channel_id |
msgs.append(serverHello) |
msgs.append(Certificate(certificateType).create(serverCertChain)) |
+ if serverHello.status_request: |
+ msgs.append(CertificateStatus().create(ocspResponse)) |
if reqCert and reqCAs: |
msgs.append(CertificateRequest().create([], reqCAs)) |
elif reqCert: |