Index: third_party/tlslite/tlslite/TLSConnection.py |
diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py |
index d2270a995f036c0478345dacee7d9e95efd68660..4df4f684e478ddc479053ea2924c2fe9234f69b2 100644 |
--- a/third_party/tlslite/tlslite/TLSConnection.py |
+++ b/third_party/tlslite/tlslite/TLSConnection.py |
@@ -937,7 +937,8 @@ class TLSConnection(TLSRecordLayer): |
certChain=None, privateKey=None, reqCert=False, |
sessionCache=None, settings=None, checker=None, |
reqCAs=None, tlsIntolerant=0, |
- signedCertTimestamps=None): |
+ signedCertTimestamps=None, |
+ OCSPResponse=None): |
wtc
2013/12/03 21:04:25
Nit: I suggest "ocspResponse" to match the capital
ekasper
2013/12/04 19:25:15
Done.
|
"""Perform a handshake in the role of server. |
This function performs an SSL or TLS handshake. Depending on |
@@ -1013,6 +1014,15 @@ class TLSConnection(TLSRecordLayer): |
binary 8-bit string) that will be sent as a TLS extension whenever |
the client announces support for the extension. |
+ @type OCSPResponse: str |
+ @param OCSPResponse: An OCSP response (as a binary 8-bit string) that |
+ will be sent stapled in the handshake whenever the client announces |
+ support for the status_request extension. |
+ Note that the response is sent independent of the ClientHello extension |
wtc
2013/12/03 21:04:25
Nit: add "status_request" between "ClientHello" an
ekasper
2013/12/04 19:25:15
Done.
|
+ contents, and is thus only meant for testing environments. Real OCSP |
+ stapling is more complicated as it requires choosing a suitable response |
+ based on the ClientHello extension contents. |
+ |
@raise socket.error: If a socket error occurs. |
@raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
without a preceding alert. |
@@ -1022,7 +1032,8 @@ class TLSConnection(TLSRecordLayer): |
""" |
for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, |
certChain, privateKey, reqCert, sessionCache, settings, |
- checker, reqCAs, tlsIntolerant, signedCertTimestamps): |
+ checker, reqCAs, tlsIntolerant, signedCertTimestamps, |
+ OCSPResponse): |
pass |
@@ -1030,7 +1041,8 @@ class TLSConnection(TLSRecordLayer): |
certChain=None, privateKey=None, reqCert=False, |
sessionCache=None, settings=None, checker=None, |
reqCAs=None, tlsIntolerant=0, |
- signedCertTimestamps=None): |
+ signedCertTimestamps=None, |
+ OCSPResponse=None): |
wtc
2013/12/03 21:04:25
Nit: ocspResponse.
ekasper
2013/12/04 19:25:15
Done.
|
"""Start a server handshake operation on the TLS connection. |
This function returns a generator which behaves similarly to |
@@ -1049,7 +1061,8 @@ class TLSConnection(TLSRecordLayer): |
sessionCache=sessionCache, settings=settings, |
reqCAs=reqCAs, |
tlsIntolerant=tlsIntolerant, |
- signedCertTimestamps=signedCertTimestamps) |
+ signedCertTimestamps=signedCertTimestamps, |
+ OCSPResponse=OCSPResponse) |
for result in self._handshakeWrapperAsync(handshaker, checker): |
yield result |
@@ -1057,7 +1070,8 @@ class TLSConnection(TLSRecordLayer): |
def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, |
certChain, privateKey, reqCert, |
sessionCache, settings, reqCAs, |
- tlsIntolerant, signedCertTimestamps): |
+ tlsIntolerant, signedCertTimestamps, |
+ OCSPResponse): |
wtc
2013/12/03 21:04:25
Nit: ocspResponse.
ekasper
2013/12/04 19:25:15
Done.
|
self._handshakeStart(client=False) |
@@ -1428,10 +1442,14 @@ class TLSConnection(TLSRecordLayer): |
sessionID, cipherSuite, certificateType) |
serverHello.channel_id = clientHello.channel_id |
if clientHello.support_signed_cert_timestamps: |
- serverHello.signed_cert_timestamps = signedCertTimestamps |
+ serverHello.signed_cert_timestamps = signedCertTimestamps |
+ serverHello.status_request = (clientHello.status_request and |
+ OCSPResponse) |
doingChannelID = clientHello.channel_id |
msgs.append(serverHello) |
msgs.append(Certificate(certificateType).create(serverCertChain)) |
+ if clientHello.status_request and OCSPResponse: |
wtc
2013/12/03 21:04:25
Nit: we may be able to just test serverHello.statu
ekasper
2013/12/04 19:25:15
Done.
|
+ msgs.append(CertificateStatus().create(OCSPResponse)) |
if reqCert and reqCAs: |
msgs.append(CertificateRequest().create([], reqCAs)) |
elif reqCert: |