4 files changed, 52 insertions, 18 deletions

diff --git a/apps/include/apps.h b/apps/include/apps.h
index 41178a6e22..829c49e34e 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -175,10 +175,10 @@ const EVP_MD *get_digest_from_engine(const char *name);
 const EVP_CIPHER *get_cipher_from_engine(const char *name);
 
 # ifndef OPENSSL_NO_OCSP
-OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
-                                 const char *host, const char *path,
-                                 const char *port, int use_ssl,
-                                 STACK_OF(CONF_VALUE) *headers,
+OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host,
+                                 const char *port, const char *path,
+                                 const char *proxy, const char *no_proxy,
+                                 int use_ssl, STACK_OF(CONF_VALUE) *headers,
                                  int req_timeout);
 # endif
 
diff --git a/apps/ocsp.c b/apps/ocsp.c
index dd816c4221..9b26af8655 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -87,6 +87,7 @@ static int index_changed(CA_DB *);
 typedef enum OPTION_choice {
     OPT_COMMON,
     OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT,
+    OPT_PROXY, OPT_NO_PROXY,
     OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE,
     OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS,
     OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN,
@@ -158,6 +159,13 @@ const OPTIONS ocsp_options[] = {
     {"url", OPT_URL, 's', "Responder URL"},
     {"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"},
     {"port", OPT_PORT, 'p', "Port to run responder on"},
+    {"path", OPT_PATH, 's', "Path to use in OCSP request"},
+    {"proxy", OPT_PROXY, 's',
+     "[http[s]://]host[:port][/path] of HTTP(S) proxy to use; path is ignored"},
+    {"no_proxy", OPT_NO_PROXY, 's',
+     "List of addresses of servers not to use HTTP(S) proxy for"},
+    {OPT_MORE_STR, 0, 0,
+     "Default from environment variable 'no_proxy', else 'NO_PROXY', else none"},
     {"out", OPT_OUTFILE, '>', "Output filename"},
     {"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"},
     {"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"},
@@ -184,7 +192,6 @@ const OPTIONS ocsp_options[] = {
     {"VAfile", OPT_VAFILE, '<', "Validator certificates file"},
     {"verify_other", OPT_VERIFY_OTHER, '<',
      "Additional certificates to search for signer"},
-    {"path", OPT_PATH, 's', "Path to use in OCSP request"},
     {"cert", OPT_CERT, '<', "Certificate to check"},
     {"serial", OPT_SERIAL, 's', "Serial number to check"},
     {"validity_period", OPT_VALIDITY_PERIOD, 'u',
@@ -225,6 +232,8 @@ int ocsp_main(int argc, char **argv)
     const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL;
     char *header, *value, *respdigname = NULL;
     char *host = NULL, *port = NULL, *path = "/", *outfile = NULL;
+    char *opt_proxy = NULL;
+    char *opt_no_proxy = NULL;
     char *rca_filename = NULL, *reqin = NULL, *respin = NULL;
     char *reqout = NULL, *respout = NULL, *ridx_filename = NULL;
     char *rsignfile = NULL, *rkeyfile = NULL;
@@ -287,6 +296,15 @@ int ocsp_main(int argc, char **argv)
         case OPT_PORT:
             port = opt_arg();
             break;
+        case OPT_PATH:
+            path = opt_arg();
+            break;
+        case OPT_PROXY:
+            opt_proxy = opt_arg();
+            break;
+        case OPT_NO_PROXY:
+            opt_no_proxy = opt_arg();
+            break;
         case OPT_IGNORE_ERR:
             ignore_err = 1;
             break;
@@ -398,9 +416,6 @@ int ocsp_main(int argc, char **argv)
         case OPT_RESPOUT:
             respout = opt_arg();
             break;
-        case OPT_PATH:
-            path = opt_arg();
-            break;
         case OPT_ISSUER:
             issuer = load_cert(opt_arg(), FORMAT_UNDEF, "issuer certificate");
             if (issuer == NULL)
@@ -702,8 +717,8 @@ redo_accept:
             send_ocsp_response(cbio, resp);
     } else if (host != NULL) {
 #ifndef OPENSSL_NO_SOCK
-        resp = process_responder(req, host, path,
-                                 port, use_ssl, headers, req_timeout);
+        resp = process_responder(req, host, port, path, opt_proxy, opt_no_proxy,
+                                 use_ssl, headers, req_timeout);
         if (resp == NULL)
             goto end;
 #else
@@ -1193,10 +1208,10 @@ static int send_ocsp_response(BIO *cbio, const OCSP_RESPONSE *resp)
 }
 
 #ifndef OPENSSL_NO_SOCK
-OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
-                                 const char *host, const char *path,
-                                 const char *port, int use_ssl,
-                                 STACK_OF(CONF_VALUE) *headers,
+OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host,
+                                 const char *port, const char *path,
+                                 const char *proxy, const char *no_proxy,
+                                 int use_ssl, STACK_OF(CONF_VALUE) *headers,
                                  int req_timeout)
 {
     SSL_CTX *ctx = NULL;
@@ -1211,7 +1226,7 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
     }
 
     resp = (OCSP_RESPONSE *)
-        app_http_post_asn1(host, port, path, NULL, NULL /* no proxy used */,
+        app_http_post_asn1(host, port, path, proxy, no_proxy,
                            ctx, headers, "application/ocsp-request",
                            (ASN1_VALUE *)req, ASN1_ITEM_rptr(OCSP_REQUEST),
                            "application/ocsp-response",
diff --git a/apps/s_server.c b/apps/s_server.c
index 51b5c9d381..2001de426c 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -523,8 +523,8 @@ static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx,
         if (!OCSP_REQUEST_add_ext(req, ext, -1))
             goto err;
     }
-    *resp = process_responder(req, host, path, port, use_ssl, NULL,
-                             srctx->timeout);
+    *resp = process_responder(req, host, port, path, proxy, no_proxy,
+                              use_ssl, NULL /* headers */, srctx->timeout);
     if (*resp == NULL) {
         BIO_puts(bio_err, "cert_status: error querying responder\n");
         goto done;
diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in
index 9fdb25ba5a..168817f608 100644
--- a/doc/man1/openssl-ocsp.pod.in
+++ b/doc/man1/openssl-ocsp.pod.in
@@ -30,9 +30,11 @@ B<openssl> B<ocsp>
 [B<-respin> I<file>]
 [B<-url> I<URL>]
 [B<-host> I<host>:I<port>]
+[B<-path>]
+[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>]
+[B<-no_proxy> I<addresses>]
 [B<-header>]
 [B<-timeout> I<seconds>]
-[B<-path>]
 [B<-VAfile> I<file>]
 [B<-validity_period> I<n>]
 [B<-status_age> I<n>]
@@ -167,6 +169,23 @@ I<hostname> on port I<port>. The B<-path> option specifies the HTTP pathname
 to use or "/" by default.  This is equivalent to specifying B<-url> with scheme
 http:// and the given hostname, port, and pathname.
 
+=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>
+
+The HTTP(S) proxy server to use for reaching the OCSP server unless B<-no_proxy>
+applies, see below.
+The proxy port defaults to 80 or 443 if the scheme is C<https>; apart from that
+the optional C<http://> or C<https://> prefix is ignored,
+as well as any userinfo and path components.
+Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY>
+in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>.
+
+=item B<-no_proxy> I<addresses>
+
+List of IP addresses and/or DNS names of servers
+not to use an HTTP(S) proxy for, separated by commas and/or whitespace
+(where in the latter case the whole argument must be enclosed in "...").
+Default is from the environment variable C<no_proxy> if set, else C<NO_PROXY>.
+
 =item B<-header> I<name>=I<value>
 
 Adds the header I<name> with the specified I<value> to the OCSP request