Add OCSP stapling support to TLS client

1 files changed, 15 insertions, 3 deletions

diff --git a/src/lib/tls/msg_server_hello.cpp b/src/lib/tls/msg_server_hello.cpp
index 3e8a8dda9..37e521403 100644
--- a/src/lib/tls/msg_server_hello.cpp
+++ b/src/lib/tls/msg_server_hello.cpp
@@ -35,12 +35,15 @@ Server_Hello::Server_Hello(Handshake_IO& io,
    if(client_hello.supports_extended_master_secret())
       m_extensions.add(new Extended_Master_Secret);
 
+   // Sending the extension back does not commit us to sending a stapled response
+   if(client_hello.supports_cert_status_message())
+      m_extensions.add(new Certificate_Status_Request);
+
    Ciphersuite c = Ciphersuite::by_id(m_ciphersuite);
 
-   if(client_hello.supports_encrypt_then_mac() && policy.negotiate_encrypt_then_mac())
+   if(c.cbc_ciphersuite() && client_hello.supports_encrypt_then_mac() && policy.negotiate_encrypt_then_mac())
       {
-      if(c.cbc_ciphersuite())
-         m_extensions.add(new Encrypt_then_MAC);
+      m_extensions.add(new Encrypt_then_MAC);
       }
 
    if(c.ecc_ciphersuite())
@@ -100,6 +103,10 @@ Server_Hello::Server_Hello(Handshake_IO& io,
    if(client_hello.supports_extended_master_secret())
       m_extensions.add(new Extended_Master_Secret);
 
+   // Sending the extension back does not commit us to sending a stapled response
+   if(client_hello.supports_cert_status_message())
+      m_extensions.add(new Certificate_Status_Request);
+
    if(client_hello.supports_encrypt_then_mac() && policy.negotiate_encrypt_then_mac())
       {
       Ciphersuite c = resumed_session.ciphersuite();
@@ -107,6 +114,11 @@ Server_Hello::Server_Hello(Handshake_IO& io,
          m_extensions.add(new Encrypt_then_MAC);
       }
 
+   if(client_hello.supports_cert_status_message())
+      {
+      m_extensions.add(new Certificate_Status_Request);
+      }
+
    if(resumed_session.ciphersuite().ecc_ciphersuite())
       {
       m_extensions.add(new Supported_Point_Formats(policy.use_ecc_point_compression()));