type Certificate struct {
Certificate [][]byte
PrivateKey *rsa.PrivateKey
+ // OCSPStaple contains an optional OCSP response which will be served
+ // to clients that request it.
+ OCSPStaple []byte
}
// A TLS record.
c.peerCertificates = certs
- if serverHello.certStatus {
+ if serverHello.ocspStapling {
msg, err = c.readHandshake()
if err != nil {
return err
compressionMethod uint8
nextProtoNeg bool
nextProtos []string
- certStatus bool
+ ocspStapling bool
}
func (m *serverHelloMsg) marshal() []byte {
nextProtoLen += len(m.nextProtos)
extensionsLength += nextProtoLen
}
- if m.certStatus {
+ if m.ocspStapling {
numExtensions++
}
if numExtensions > 0 {
z = z[1+l:]
}
}
- if m.certStatus {
+ if m.ocspStapling {
z[0] = byte(extensionStatusRequest >> 8)
z[1] = byte(extensionStatusRequest)
z = z[4:]
m.nextProtoNeg = false
m.nextProtos = nil
- m.certStatus = false
+ m.ocspStapling = false
if len(data) == 0 {
// ServerHello is optionally followed by extension data
if length > 0 {
return false
}
- m.certStatus = true
+ m.ocspStapling = true
}
data = data[length:]
}
hello.nextProtoNeg = true
hello.nextProtos = config.NextProtos
}
+ if clientHello.ocspStapling && len(config.Certificates[0].OCSPStaple) > 0 {
+ hello.ocspStapling = true
+ }
finishedHash.Write(hello.marshal())
c.writeRecord(recordTypeHandshake, hello.marshal())
finishedHash.Write(certMsg.marshal())
c.writeRecord(recordTypeHandshake, certMsg.marshal())
+ if hello.ocspStapling {
+ certStatus := new(certificateStatusMsg)
+ certStatus.statusType = statusTypeOCSP
+ certStatus.response = config.Certificates[0].OCSPStaple
+ finishedHash.Write(certStatus.marshal())
+ c.writeRecord(recordTypeHandshake, certStatus.marshal())
+ }
+
keyAgreement := suite.ka()
skx, err := keyAgreement.generateServerKeyExchange(config, clientHello, hello)