typedef enum OPTION_choice {
OPT_COMMON,
OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT,
+ OPT_PROXY, OPT_NO_PROXY,
OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE,
OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS,
OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN,
{"url", OPT_URL, 's', "Responder URL"},
{"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"},
{"port", OPT_PORT, 'p', "Port to run responder on"},
+ {"path", OPT_PATH, 's', "Path to use in OCSP request"},
+ {"proxy", OPT_PROXY, 's',
+ "[http[s]://]host[:port][/path] of HTTP(S) proxy to use; path is ignored"},
+ {"no_proxy", OPT_NO_PROXY, 's',
+ "List of addresses of servers not to use HTTP(S) proxy for"},
+ {OPT_MORE_STR, 0, 0,
+ "Default from environment variable 'no_proxy', else 'NO_PROXY', else none"},
{"out", OPT_OUTFILE, '>', "Output filename"},
{"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"},
{"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"},
{"VAfile", OPT_VAFILE, '<', "Validator certificates file"},
{"verify_other", OPT_VERIFY_OTHER, '<',
"Additional certificates to search for signer"},
- {"path", OPT_PATH, 's', "Path to use in OCSP request"},
{"cert", OPT_CERT, '<', "Certificate to check"},
{"serial", OPT_SERIAL, 's', "Serial number to check"},
{"validity_period", OPT_VALIDITY_PERIOD, 'u',
const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL;
char *header, *value, *respdigname = NULL;
char *host = NULL, *port = NULL, *path = "/", *outfile = NULL;
+ char *opt_proxy = NULL;
+ char *opt_no_proxy = NULL;
char *rca_filename = NULL, *reqin = NULL, *respin = NULL;
char *reqout = NULL, *respout = NULL, *ridx_filename = NULL;
char *rsignfile = NULL, *rkeyfile = NULL;
case OPT_PORT:
port = opt_arg();
break;
+ case OPT_PATH:
+ path = opt_arg();
+ break;
+ case OPT_PROXY:
+ opt_proxy = opt_arg();
+ break;
+ case OPT_NO_PROXY:
+ opt_no_proxy = opt_arg();
+ break;
case OPT_IGNORE_ERR:
ignore_err = 1;
break;
case OPT_RESPOUT:
respout = opt_arg();
break;
- case OPT_PATH:
- path = opt_arg();
- break;
case OPT_ISSUER:
issuer = load_cert(opt_arg(), FORMAT_UNDEF, "issuer certificate");
if (issuer == NULL)
send_ocsp_response(cbio, resp);
} else if (host != NULL) {
#ifndef OPENSSL_NO_SOCK
- resp = process_responder(req, host, path,
- port, use_ssl, headers, req_timeout);
+ resp = process_responder(req, host, port, path, opt_proxy, opt_no_proxy,
+ use_ssl, headers, req_timeout);
if (resp == NULL)
goto end;
#else
}
#ifndef OPENSSL_NO_SOCK
-OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
- const char *host, const char *path,
- const char *port, int use_ssl,
- STACK_OF(CONF_VALUE) *headers,
+OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host,
+ const char *port, const char *path,
+ const char *proxy, const char *no_proxy,
+ int use_ssl, STACK_OF(CONF_VALUE) *headers,
int req_timeout)
{
SSL_CTX *ctx = NULL;
}
resp = (OCSP_RESPONSE *)
- app_http_post_asn1(host, port, path, NULL, NULL /* no proxy used */,
+ app_http_post_asn1(host, port, path, proxy, no_proxy,
ctx, headers, "application/ocsp-request",
(ASN1_VALUE *)req, ASN1_ITEM_rptr(OCSP_REQUEST),
"application/ocsp-response",
[B<-respin> I<file>]
[B<-url> I<URL>]
[B<-host> I<host>:I<port>]
+[B<-path>]
+[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>]
+[B<-no_proxy> I<addresses>]
[B<-header>]
[B<-timeout> I<seconds>]
-[B<-path>]
[B<-VAfile> I<file>]
[B<-validity_period> I<n>]
[B<-status_age> I<n>]
to use or "/" by default. This is equivalent to specifying B<-url> with scheme
http:// and the given hostname, port, and pathname.
+=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>
+
+The HTTP(S) proxy server to use for reaching the OCSP server unless B<-no_proxy>
+applies, see below.
+The proxy port defaults to 80 or 443 if the scheme is C<https>; apart from that
+the optional C<http://> or C<https://> prefix is ignored,
+as well as any userinfo and path components.
+Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY>
+in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>.
+
+=item B<-no_proxy> I<addresses>
+
+List of IP addresses and/or DNS names of servers
+not to use an HTTP(S) proxy for, separated by commas and/or whitespace
+(where in the latter case the whole argument must be enclosed in "...").
+Default is from the environment variable C<no_proxy> if set, else C<NO_PROXY>.
+
=item B<-header> I<name>=I<value>
Adds the header I<name> with the specified I<value> to the OCSP request
projects / openssl.git / commitdiff