Propagate tlsext_status_type from SSL_CTX to SSL

To allow OCSP stapling to work with libcurl.

Github PR #200

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

3 files changed, 11 insertions, 1 deletions

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 5d5293e1fc..eaf6ee23e9 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3413,6 +3413,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
             return 1;
         }
 
+    case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
+        ctx->tlsext_status_type = larg;
+        break;
+
     case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
         ctx->tlsext_status_arg = parg;
         return 1;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e7eb3028b4..14e8c1e4f6 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -693,7 +693,7 @@ SSL *SSL_new(SSL_CTX *ctx)
     s->tlsext_debug_cb = 0;
     s->tlsext_debug_arg = NULL;
     s->tlsext_ticket_expected = 0;
-    s->tlsext_status_type = -1;
+    s->tlsext_status_type = ctx->tlsext_status_type;
     s->tlsext_status_expected = 0;
     s->tlsext_ocsp_ids = NULL;
     s->tlsext_ocsp_exts = NULL;
@@ -2502,6 +2502,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
      */
     ret->options |= SSL_OP_NO_COMPRESSION;
 
+    ret->tlsext_status_type = -1;
+
     return ret;
  err:
     SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index c9c071ae6f..9bc9892e2c 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -953,6 +953,10 @@ struct ssl_ctx_st {
     size_t tlsext_ellipticcurvelist_length;
     unsigned char *tlsext_ellipticcurvelist;
 #  endif                        /* OPENSSL_NO_EC */
+
+    /* ext status type used for CSR extension (OCSP Stapling) */
+    int tlsext_status_type;
+
     CRYPTO_RWLOCK *lock;
 };