From bd0c3b3c66da5c087479a81234002151333d808f Mon Sep 17 00:00:00 2001
From: Alessandro Ghedini <alessandro@ghedini.me>
Date: Mon, 16 Jun 2014 20:47:26 +0200
Subject: [PATCH] curl: add --cert-status option

This enables the CURLOPT_SSL_VERIFYSTATUS functionality.
---
 docs/curl.1         | 10 ++++++++++
 src/tool_cfgable.h  |  1 +
 src/tool_getparam.c |  5 +++++
 src/tool_operate.c  |  3 +++
 4 files changed, 19 insertions(+)

diff --git a/docs/curl.1 b/docs/curl.1
index 0b9971cd2..40cfbedff 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -552,6 +552,16 @@ This is currently only implemented in the OpenSSL, GnuTLS and GSKit backends.
 
 If this option is used several times, the last one will be used.
 (Added in 7.39.0)
+.IP "--cert-status"
+(SSL) Tells curl to verify the status of the server certificate by using the
+Certificate Status Request (aka. OCSP stapling) TLS extension.
+
+If this option is enabled and the server sends an invalid (e.g. expired)
+response, if the response suggests that the server certificate has been revoked,
+or no response at all is received, the verification fails.
+
+This is currently only implemented in the GnuTLS and NSS backends.
+(Added in 7.41.0)
 .IP "-f, --fail"
 (HTTP) Fail silently (no output at all) on server errors. This is mostly done
 to better enable scripts etc to better deal with failed attempts. In normal
diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
index cf8d563b0..4008cd0c2 100644
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@@ -126,6 +126,7 @@ struct OperationConfig {
   bool globoff;
   bool use_httpget;
   bool insecure_ok;         /* set TRUE to allow insecure SSL connects */
+  bool verifystatus;
   bool create_dirs;
   bool ftp_create_dirs;
   bool ftp_skip_ip;
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 3932ccbf5..ee198c36c 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -217,6 +217,7 @@ static const struct LongShort aliases[]= {
   {"En", "ssl-allow-beast",          FALSE},
   {"Eo", "login-options",            TRUE},
   {"Ep", "pinnedpubkey",             TRUE},
+  {"Eq", "cert-status",              FALSE},
   {"f",  "fail",                     FALSE},
   {"F",  "form",                     TRUE},
   {"Fs", "form-string",              TRUE},
@@ -1363,6 +1364,10 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
         GetStr(&config->pinnedpubkey, nextarg);
         break;
 
+      case 'q': /* --cert-status */
+        config->verifystatus = TRUE;
+        break;
+
       default: /* certificate file */
       {
         char *certname, *passphrase;
diff --git a/src/tool_operate.c b/src/tool_operate.c
index a21bbcaf4..04fd59b88 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1038,6 +1038,9 @@ static CURLcode operate_do(struct GlobalConfig *global,
             /* libcurl default is strict verifyhost -> 2L   */
             /* my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L); */
           }
+
+          if(config->verifystatus)
+            my_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 1L);
         }
 
         if(built_in_protos & (CURLPROTO_SCP|CURLPROTO_SFTP)) {