Implement status_request OCSP extension.ocspext

13 files changed, 521 insertions, 2 deletions

diff --git a/doc/Makefile.am b/doc/Makefile.am
index 792897121d..e35e23dbd5 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -666,6 +666,8 @@ FUNCS += functions/gnutls_session_ticket_key_generate
 FUNCS += functions/gnutls_session_ticket_enable_client
 FUNCS += functions/gnutls_session_ticket_enable_server
 FUNCS += functions/gnutls_key_generate
+FUNCS += functions/gnutls_status_request_ocsp_server
+FUNCS += functions/gnutls_status_request_ocsp_client
 FUNCS += functions/gnutls_priority_init
 FUNCS += functions/gnutls_priority_deinit
 FUNCS += functions/gnutls_priority_get_cipher_suite_index
diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
index 0886d2575c..f1bf22e294 100644
--- a/doc/manpages/Makefile.am
+++ b/doc/manpages/Makefile.am
@@ -263,6 +263,8 @@ APIMANS += gnutls_session_ticket_key_generate.3
 APIMANS += gnutls_session_ticket_enable_client.3
 APIMANS += gnutls_session_ticket_enable_server.3
 APIMANS += gnutls_key_generate.3
+APIMANS += gnutls_status_request_ocsp_server.3
+APIMANS += gnutls_status_request_ocsp_client.3
 APIMANS += gnutls_priority_init.3
 APIMANS += gnutls_priority_deinit.3
 APIMANS += gnutls_priority_get_cipher_suite_index.3
@@ -326,7 +328,6 @@ APIMANS += gnutls_certificate_set_x509_simple_pkcs12_mem.3
 APIMANS += gnutls_certificate_set_x509_key.3
 APIMANS += gnutls_certificate_set_x509_trust.3
 APIMANS += gnutls_certificate_set_x509_crl.3
-APIMANS += gnutls_certificate_get_openpgp_keyring.3
 APIMANS += gnutls_global_init.3
 APIMANS += gnutls_global_deinit.3
 APIMANS += gnutls_global_set_mutex.3
diff --git a/lib/ext/Makefile.am b/lib/ext/Makefile.am
index 0062d495fe..e3b0a5545c 100644
--- a/lib/ext/Makefile.am
+++ b/lib/ext/Makefile.am
@@ -39,3 +39,5 @@ libgnutls_ext_la_SOURCES = max_record.c cert_type.c \
 	max_record.h cert_type.h server_name.h srp.h \
 	session_ticket.h signature.h safe_renegotiation.h \
 	session_ticket.c srp.c ecc.c ecc.h
+
+libgnutls_ext_la_SOURCES += status_request.h status_request.c
diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
new file mode 100644
index 0000000000..07d6516434
--- /dev/null
+++ b/lib/ext/status_request.c
@@ -0,0 +1,413 @@
+/*
+ * Copyright (C) 2012 Free Software Foundation, Inc.
+ *
+ * Author: Simon Josefsson
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 3 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+/*
+  Status Request (OCSP) TLS extension.  See RFC 6066 section 8:
+  https://tools.ietf.org/html/rfc6066#section-8
+*/
+
+#include "gnutls_int.h"
+#include "gnutls_errors.h"
+#include <gnutls_extensions.h>
+#include <ext/status_request.h>
+
+typedef struct
+{
+  gnutls_datum_t *responder_id;
+  size_t responder_id_size;
+  gnutls_datum_t request_extensions;
+  int dealloc;
+
+  gnutls_status_request_ocsp_func ocsp_func;
+  void *ocsp_func_ptr;
+
+  int expect_certificate_status;
+} status_request_ext_st;
+
+/*
+  From RFC 6066.  Client sends:
+
+      struct {
+          CertificateStatusType status_type;
+          select (status_type) {
+              case ocsp: OCSPStatusRequest;
+          } request;
+      } CertificateStatusRequest;
+
+      enum { ocsp(1), (255) } CertificateStatusType;
+
+      struct {
+          ResponderID responder_id_list<0..2^16-1>;
+          Extensions  request_extensions;
+      } OCSPStatusRequest;
+
+      opaque ResponderID<1..2^16-1>;
+      opaque Extensions<0..2^16-1>;
+*/
+
+static int
+client_send (gnutls_session_t session,
+	     gnutls_buffer_st* extdata,
+	     status_request_ext_st *priv)
+{
+  int ret_len = 1 + 2;
+  int ret;
+  size_t i;
+
+  ret = _gnutls_buffer_append_prefix (extdata, 8, 1);
+  if (ret < 0)
+    return gnutls_assert_val (ret);
+
+  ret = _gnutls_buffer_append_prefix (extdata, 16, priv->responder_id_size);
+  if (ret < 0)
+    return gnutls_assert_val (ret);
+
+  for (i = 0; i < priv->responder_id_size; i++)
+    {
+      if (priv->responder_id[i].size <= 0)
+	return gnutls_assert_val (GNUTLS_E_INVALID_REQUEST);
+
+      ret = _gnutls_buffer_append_data_prefix (extdata, 16,
+					       priv->responder_id[i].data,
+					       priv->responder_id[i].size);
+      if (ret < 0)
+	return gnutls_assert_val (ret);
+
+      ret_len += 2 + priv->responder_id[i].size;
+    }
+
+  ret = _gnutls_buffer_append_data_prefix (extdata, 16,
+					   priv->request_extensions.data,
+					   priv->request_extensions.size);
+  if (ret < 0)
+    return gnutls_assert_val (ret);
+
+  ret_len += 2 + priv->request_extensions.size;
+
+  return ret_len;
+}
+
+static int
+server_recv (gnutls_session_t session,
+	     status_request_ext_st *priv,
+	     const uint8_t * data,
+	     size_t size)
+{
+  size_t i;
+
+  _gnutls_handshake_log ("EXT[%p]: got ocsp\n", session);
+
+  /* minimum message is type (1) + responder_id_list (2) +
+     request_extension (2) = 5 */
+  if (size < 5)
+    return gnutls_assert_val (GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
+  /* We ignore non-ocsp CertificateStatusType.  The spec is unclear
+     what should be done. */
+  if (data[0] != '\x01')
+    {
+      gnutls_assert ();
+      _gnutls_handshake_log ("EXT[%p]: unknown status_type %d\n",
+			     session, data[0]);
+      return 0;
+    }
+  size--, data++;
+
+  priv->dealloc = 1;
+
+  priv->responder_id_size = _gnutls_read_uint16 (data);
+  size -= 2, data += 2;
+
+  if (size <= priv->responder_id_size * 2)
+    return gnutls_assert_val (GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
+  priv->responder_id = gnutls_malloc (priv->responder_id_size
+				      * sizeof (*priv->responder_id));
+  if (priv->responder_id == NULL)
+    return gnutls_assert_val (GNUTLS_E_MEMORY_ERROR);
+
+  for (i = 0; i < priv->responder_id_size; i++)
+    {
+      size_t l;
+
+      if (size <= 2)
+	return gnutls_assert_val (GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
+      l = _gnutls_read_uint16 (data);
+      size -= 2, data += 2;
+
+      if (size <= l)
+	return gnutls_assert_val (GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
+      priv->responder_id[i].data = gnutls_malloc (l);
+      if (priv->responder_id[i].data == NULL)
+	return gnutls_assert_val (GNUTLS_E_MEMORY_ERROR);
+
+      memcpy (priv->responder_id[i].data, data, l);
+      priv->responder_id[i].size = l;
+
+      size -= l, data += l;
+    }
+
+  return 0;
+}
+
+/*
+  Servers return a certificate response along with their certificate
+  by sending a "CertificateStatus" message immediately after the
+  "Certificate" message (and before any "ServerKeyExchange" or
+  "CertificateRequest" messages).  If a server returns a
+  "CertificateStatus" message, then the server MUST have included an
+  extension of type "status_request" with empty "extension_data" in
+  the extended server hello.
+*/
+
+static int
+server_send (gnutls_session_t session,
+	     gnutls_buffer_st* extdata,
+	     status_request_ext_st *priv)
+{
+  int ret;
+
+  if (priv->ocsp_func == NULL)
+    return gnutls_assert_val (GNUTLS_E_SUCCESS);
+
+  ret = priv->ocsp_func (session, priv->ocsp_func_ptr, NULL);
+  if (ret == GNUTLS_E_NO_CERTIFICATE_STATUS)
+    return 0;
+  else if (ret != GNUTLS_E_SUCCESS)
+    return gnutls_assert_val (ret);
+
+  ret = _gnutls_buffer_append_data (extdata, "", 0);
+  if (ret < 0)
+    return gnutls_assert_val (ret);
+
+  priv->expect_certificate_status = 1;
+
+  return 0;
+}
+
+static int
+client_recv (gnutls_session_t session,
+	     status_request_ext_st *priv,
+	     const uint8_t * data,
+	     size_t size)
+{
+  if (size != 0)
+    return gnutls_assert_val (GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
+  priv->expect_certificate_status = 1;
+
+  return 0;
+}
+
+static int
+_gnutls_status_request_send_params (gnutls_session_t session,
+				    gnutls_buffer_st* extdata)
+{
+  extension_priv_data_t epriv;
+  status_request_ext_st *priv;
+  int ret;
+
+  ret = _gnutls_ext_get_session_data (session,
+				      GNUTLS_EXTENSION_STATUS_REQUEST,
+				      &epriv);
+  if (ret < 0)              /* it is ok not to have it */
+    return 0;
+
+  priv = epriv.ptr;
+
+  if (session->security_parameters.entity == GNUTLS_CLIENT)
+    return client_send (session, extdata, priv);
+  return server_send (session, extdata, priv);
+}
+
+static int
+_gnutls_status_request_recv_params (gnutls_session_t session,
+				    const uint8_t * data,
+				    size_t size)
+{
+  extension_priv_data_t epriv;
+  status_request_ext_st *priv;
+  int ret;
+
+  ret = _gnutls_ext_get_session_data (session,
+				      GNUTLS_EXTENSION_STATUS_REQUEST,
+				      &epriv);
+  if (ret < 0)              /* it is ok not to have it */
+    return 0;
+
+  priv = epriv.ptr;
+
+  if (session->security_parameters.entity == GNUTLS_CLIENT)
+    return client_recv (session, priv, data, size);
+  return server_recv (session, priv, data, size);
+}
+
+/**
+ * gnutls_status_request_ocsp_client:
+ * @session: is a #gnutls_session_t structure.
+ * @responder_id: array with #gnutls_datum_t with DER data of responder id
+ * @responder_id_size: number of members in @responder_id array
+ * @request_extensions: a #gnutls_datum_t with DER encoded OCSP extensions
+ *
+ * This function is to be used by clients to request OCSP response
+ * from the server, using the "status_request" TLS extension.  Only
+ * OCSP status type is supported.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ *   otherwise a negative error code is returned.
+ **/
+int
+gnutls_status_request_ocsp_client (gnutls_session_t session,
+				   gnutls_datum_t *responder_id,
+				   size_t responder_id_size,
+				   gnutls_datum_t *request_extensions)
+{
+  status_request_ext_st *priv;
+  extension_priv_data_t epriv;
+
+  if (session->security_parameters.entity == GNUTLS_SERVER)
+    return gnutls_assert_val (GNUTLS_E_INVALID_REQUEST);
+
+  epriv.ptr = priv = gnutls_calloc (1, sizeof (*priv));
+  if (priv == NULL)
+    return gnutls_assert_val (GNUTLS_E_MEMORY_ERROR);
+
+  priv->responder_id = responder_id;
+  priv->responder_id_size = responder_id_size;
+  if (request_extensions)
+    {
+      priv->request_extensions.data = request_extensions->data;
+      priv->request_extensions.size = request_extensions->size;
+    }
+
+  _gnutls_ext_set_session_data (session,
+				GNUTLS_EXTENSION_STATUS_REQUEST,
+				epriv);
+
+  return 0;
+}
+
+/**
+ * gnutls_status_request_ocsp_server:
+ * @session: is a #gnutls_session_t structure.
+ * @ocsp_func: function pointer to OCSP status request callback.
+ * @ptr: opaque pointer passed to callback function
+ *
+ * This function is to be used by server to register a callback to
+ * handle OCSP status requests from the client.  The callback will be
+ * invoked if the client supplied a status-request OCSP extension.
+ * The callback function prototype is:
+ *
+ * typedef int (*gnutls_status_request_ocsp_func)
+ *    (gnutls_session_t session, void *ptr, gnutls_datum_t *ocsp_response);
+ *
+ * The callback may be invoked up to two times for each handshake.  It
+ * is called the first time when the client hello requested the status
+ * request extension.  In this case, ocsp_response is NULL.  The
+ * purpose of the first callback invocation is to determine whether
+ * the server will acknowledge the client's request to use the
+ * extension.  The callback may return
+ * %GNUTLS_E_NO_CERTIFICATE_STATUS, in which case the server will not
+ * enable the extension.  If the callback returns %GNUTLS_E_SUCCESS,
+ * the server enable the extension.  If the callback returns another
+ * error code, the handshake will terminate.
+ *
+ * If the first call to the callback enabled the extension, there will
+ * usually be a second phase, with a non-NULL ocsp_response.  Now the
+ * server is ready to send the CertificateStatus, and it expects the
+ * callback to provide the OCSP response data.  The callback can at
+ * this point return %GNUTLS_E_NO_CERTIFICATE_STATUS to avoid sending
+ * a CertificateStatus message.  If the callback returns
+ * %GNUTLS_E_SUCCESS the ocsp_response will be sent off to the client.
+ * If the callback returns an error, the handshake will terminate.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ *   otherwise a negative error code is returned.
+ **/
+int
+gnutls_status_request_ocsp_server (gnutls_session_t session,
+				   gnutls_status_request_ocsp_func ocsp_func,
+				   void *ptr)
+{
+  status_request_ext_st *priv;
+  extension_priv_data_t epriv;
+
+  if (session->security_parameters.entity == GNUTLS_CLIENT)
+    return gnutls_assert_val (GNUTLS_E_INVALID_REQUEST);
+
+  epriv.ptr = priv = gnutls_calloc (1, sizeof (*priv));
+  if (priv == NULL)
+    return gnutls_assert_val (GNUTLS_E_MEMORY_ERROR);
+
+  priv->ocsp_func = ocsp_func;
+  priv->ocsp_func_ptr = ptr;
+
+  _gnutls_ext_set_session_data (session,
+				GNUTLS_EXTENSION_STATUS_REQUEST,
+				epriv);
+
+  return 0;
+}
+
+static void
+_gnutls_status_request_deinit_data (extension_priv_data_t epriv)
+{
+  status_request_ext_st *priv = epriv.ptr;
+  size_t i;
+
+  if (priv->dealloc)
+    {
+      for (i = 0; i < priv->responder_id_size; i++)
+	gnutls_free (priv->responder_id[i].data);
+      gnutls_free (priv->responder_id);
+      gnutls_free (priv->request_extensions.data);
+    }
+
+  gnutls_free (priv);
+}
+
+static int
+_gnutls_status_request_pack (extension_priv_data_t epriv,
+			     gnutls_buffer_st * ps)
+{
+  return -1;
+}
+
+static int
+_gnutls_status_request_unpack (gnutls_buffer_st * ps,
+			       extension_priv_data_t * _priv)
+{
+  return -1;
+}
+
+extension_entry_st ext_mod_status_request = {
+  .name = "STATUS REQUEST",
+  .type = GNUTLS_EXTENSION_STATUS_REQUEST,
+  .parse_type = GNUTLS_EXT_TLS,
+  .recv_func = _gnutls_status_request_recv_params,
+  .send_func = _gnutls_status_request_send_params,
+  .pack_func = _gnutls_status_request_pack,
+  .unpack_func = _gnutls_status_request_unpack,
+  .deinit_func = _gnutls_status_request_deinit_data
+};
diff --git a/lib/ext/status_request.h b/lib/ext/status_request.h
new file mode 100644
index 0000000000..dc807f8259
--- /dev/null
+++ b/lib/ext/status_request.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2012 Free Software Foundation, Inc.
+ *
+ * Author: Simon Josefsson
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 3 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+#ifndef EXT_STATUS_REQUEST_H
+#define EXT_STATUS_REQUEST_H
+
+#include <gnutls_extensions.h>
+
+extern extension_entry_st ext_mod_status_request;
+
+#endif
diff --git a/lib/gnutls_extensions.c b/lib/gnutls_extensions.c
index 42857d0157..c91989f603 100644
--- a/lib/gnutls_extensions.c
+++ b/lib/gnutls_extensions.c
@@ -37,6 +37,7 @@
 #include <ext/signature.h>
 #include <ext/safe_renegotiation.h>
 #include <ext/ecc.h>
+#include <ext/status_request.h>
 #include <gnutls_num.h>
 
 
@@ -310,10 +311,13 @@ _gnutls_ext_init (void)
   if (ret != GNUTLS_E_SUCCESS)
     return ret;
 
-  ret = _gnutls_ext_register (&ext_mod_cert_type);
+  ret = _gnutls_ext_register (&ext_mod_status_request);
   if (ret != GNUTLS_E_SUCCESS)
     return ret;
 
+  ret = _gnutls_ext_register (&ext_mod_cert_type);
+  if (ret != GNUTLS_E_SUCCESS)
+    return ret;
 
   ret = _gnutls_ext_register (&ext_mod_server_name);
   if (ret != GNUTLS_E_SUCCESS)
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 4a60ae0d8f..b7ec7b3f6c 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -240,6 +240,7 @@ typedef enum extensions_t
 {
   GNUTLS_EXTENSION_SERVER_NAME = 0,
   GNUTLS_EXTENSION_MAX_RECORD_SIZE = 1,
+  GNUTLS_EXTENSION_STATUS_REQUEST = 5,
   GNUTLS_EXTENSION_CERT_TYPE = 9,
   GNUTLS_EXTENSION_SUPPORTED_ECC = 10,
   GNUTLS_EXTENSION_SUPPORTED_ECC_PF = 11,
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 035f63857a..2aeee8eb1d 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -914,6 +914,17 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session);
 
   int gnutls_key_generate (gnutls_datum_t * key, unsigned int key_size);
 
+  /* OCSP status request extension, RFC 6066 */
+  typedef int (*gnutls_status_request_ocsp_func)
+  (gnutls_session_t session, void *ptr, gnutls_datum_t *ocsp_response);
+  int gnutls_status_request_ocsp_server (gnutls_session_t session,
+				 gnutls_status_request_ocsp_func ocsp_func,
+					 void *ptr);
+  int gnutls_status_request_ocsp_client (gnutls_session_t session,
+					 gnutls_datum_t *responder_id,
+					 size_t responder_id_size,
+					 gnutls_datum_t *request_extensions);
+
 /* if you just want some defaults, use the following.
  */
   int gnutls_priority_init (gnutls_priority_t * priority_cache,
@@ -1890,6 +1901,8 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session);
 #define GNUTLS_E_X509_UNSUPPORTED_EXTENSION -327
 #define GNUTLS_E_SESSION_EOF -328
 
+#define GNUTLS_E_NO_CERTIFICATE_STATUS -329
+
 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
 
 
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 31938482ed..183b262f4e 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -786,6 +786,8 @@ GNUTLS_3_0_0 {
 	gnutls_x509_crt_set_private_key_usage_period;
 	gnutls_x509_crq_set_private_key_usage_period;
 	gnutls_session_get_random;
+	gnutls_status_request_ocsp_client;
+	gnutls_status_request_ocsp_server;
 } GNUTLS_2_12;
 
 GNUTLS_PRIVATE {
diff --git a/src/cli-args.def b/src/cli-args.def
index b032ad0b87..c9a12bd81c 100644
--- a/src/cli-args.def
+++ b/src/cli-args.def
@@ -49,6 +49,12 @@ flag = {
 };
 
 flag = {
+    name      = status-request-ocsp;
+    descrip   = "Request OCSP status request";
+    doc       = "The client will indicate to the server in a TLS extension that it wants a OCSP status request.";
+};
+
+flag = {
     name      = starttls;
     value     = s;
     descrip   = "Connect, establish a plain session and start TLS.";
diff --git a/src/cli.c b/src/cli.c
index 1cdc1df173..43ae9313db 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -68,6 +68,7 @@ int resume, starttls, insecure, rehandshake, udp, mtu;
 const char *hostname = NULL;
 const char *service = NULL;
 int record_max_size;
+int status_request_ocsp;
 int fingerprint;
 int crlf;
 unsigned int verbose = 0;
@@ -711,6 +712,16 @@ init_tls_session (const char *hostname)
         }
     }
 
+  /* OCSP status-request TLS extension */
+  if (status_request_ocsp > 0 && disable_extensions == 0)
+    {
+      if (gnutls_status_request_ocsp_client (session, NULL, 0, NULL) < 0)
+        {
+          fprintf (stderr, "Cannot set OCSP status request information.\n");
+          exit (1);
+        }
+    }
+
 #ifdef ENABLE_SESSION_TICKET
   if (disable_extensions == 0 && !HAVE_OPT(NOTICKET)t)
     gnutls_session_ticket_enable_client (session);
@@ -1169,6 +1180,7 @@ const char* rest = NULL;
     }
 
   record_max_size = OPT_VALUE_RECORDSIZE;
+  status_request_ocsp = HAVE_OPT(STATUS_REQUEST_OCSP);
   fingerprint = HAVE_OPT(FINGERPRINT);
 
   if (HAVE_OPT(X509FMTDER))
diff --git a/src/serv-args.def b/src/serv-args.def
index 9264d137cf..b4a9b49c08 100644
--- a/src/serv-args.def
+++ b/src/serv-args.def
@@ -221,6 +221,14 @@ flag = {
 };
 
 flag = {
+    name      = status-response-ocsp;
+    arg-type  = file;
+    file-exists = yes;
+    descrip   = "OCSP response to send to client";
+    doc      = "If the client requested an OCSP response, return data from this file to the client.";
+};
+
+flag = {
     name      = port;
     value     = p;
     arg-type  = number;
diff --git a/src/serv.c b/src/serv.c
index 52fcddee0b..46287af060 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -81,6 +81,7 @@ const char *x509_cafile = NULL;
 const char *dh_params_file = NULL;
 const char *x509_crlfile = NULL;
 const char * priorities = NULL;
+const char * status_response_ocsp = NULL;
 
 gnutls_datum_t session_ticket_key;
 static void tcp_server(const char* name, int port);
@@ -329,6 +330,14 @@ generate_rsa_params (void)
 
 LIST_DECLARE_INIT (listener_list, listener_item, listener_free);
 
+static int
+ocsp_callback (gnutls_session_t session,
+	       void *ptr,
+	       gnutls_datum_t *ocsp_response)
+{
+  return GNUTLS_E_NO_CERTIFICATE_STATUS;
+}
+
 gnutls_session_t initialize_session (int dtls)
 {
   gnutls_session_t session;
@@ -358,6 +367,19 @@ gnutls_session_t initialize_session (int dtls)
     gnutls_session_ticket_enable_server (session, &session_ticket_key);
 #endif
 
+  /* OCSP status-request TLS extension */
+  if (status_response_ocsp)
+    {
+      if (gnutls_status_request_ocsp_server (session, ocsp_callback, NULL) < 0)
+	{
+	  fprintf (stderr, "Cannot set OCSP status request callback.\n");
+	  exit (1);
+	}
+    }
+
+  if (noticket == 0)
+    gnutls_session_ticket_enable_server (session, &session_ticket_key);
+
   if (gnutls_priority_set_direct (session, priorities, &err) < 0)
     {
       fprintf (stderr, "Syntax error at: %s\n", err);
@@ -1609,6 +1631,9 @@ static void cmd_parser (int argc, char **argv)
   if (HAVE_OPT(PSKPASSWD))
     psk_passwd = OPT_ARG(PSKPASSWD);
 
+  if (HAVE_OPT(STATUS_RESPONSE_OCSP))
+    status_response_ocsp = OPT_ARG(STATUS_RESPONSE_OCSP);
+
 }
 
 extern void serv_version (void);