Implement OCSP stapling in TLS 1.3.
Change-Id: Iad572f44448141c5e2be49bf25b42719c625a97a
Reviewed-on: https://boringssl-review.googlesource.com/8812
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index e5faae5..34498ac 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -507,7 +507,7 @@
}
if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
- return fmt.Errorf("OCSP Response mismatch")
+ return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
}
if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
@@ -3204,8 +3204,6 @@
})
// OCSP stapling tests.
- //
- // TODO(davidben): Test the TLS 1.3 version of OCSP stapling.
tests = append(tests, testCase{
testType: clientTest,
name: "OCSPStapling-Client",
@@ -3233,6 +3231,37 @@
},
resumeSession: true,
})
+ tests = append(tests, testCase{
+ testType: clientTest,
+ name: "OCSPStapling-Client-TLS13",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ },
+ flags: []string{
+ "-enable-ocsp-stapling",
+ "-expect-ocsp-response",
+ base64.StdEncoding.EncodeToString(testOCSPResponse),
+ "-verify-peer",
+ },
+ // TODO(davidben): Enable this when resumption is implemented
+ // in TLS 1.3.
+ resumeSession: false,
+ })
+ tests = append(tests, testCase{
+ testType: serverTest,
+ name: "OCSPStapling-Server-TLS13",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ },
+ expectedOCSPResponse: testOCSPResponse,
+ flags: []string{
+ "-ocsp-response",
+ base64.StdEncoding.EncodeToString(testOCSPResponse),
+ },
+ // TODO(davidben): Enable this when resumption is implemented
+ // in TLS 1.3.
+ resumeSession: false,
+ })
// Certificate verification tests.
for _, vers := range tlsVersions {