feat(post1-T-4.3): mTLS OCSP stapling on 0.7.x by escapeboy · Pull Request #36 · escapeboy/boruna

escapeboy · 2026-04-29T12:48:31Z

Summary

Adds --tls-ocsp-staple <FILE> to boruna coordinator serve (0.7.x speculative branch)
Server loads a DER-encoded OCSP response at startup and staples it into the TLS handshake via rustls's with_single_cert_with_ocsp()
Connecting clients receive server cert revocation proof without making a separate OCSP request

T-4.2 (PR #27, already merged into 0.7.x): CRL revocation support

ServerTlsPaths.ocsp_staple: Option<PathBuf> — optional OCSP response file
from_optional() gains a 5th ocsp_staple argument; passing OCSP without the TLS trio is a typed startup error
build_server_tls() loads DER bytes and calls with_single_cert_with_ocsp(certs, key, ocsp_bytes) when the staple is set; falls back to with_single_cert() otherwise
Startup error on missing/unreadable OCSP file (fail-fast)

parse_tls_flags_ocsp_without_mtls_rejected — OCSP file without TLS trio → startup error
parse_tls_flags_ocsp_with_valid_mtls_accepted — OCSP path with all three TLS flags → ocsp_staple: Some(path)
All existing parse_tls_flags_* tests pass with updated from_optional signature
cargo test -p boruna-cli --features serve — all pass
cargo clippy -p boruna-cli --features serve -- -D warnings — clean

This change ships on 0.7.x only — not on the 1.x LTS surface.

🤖 Generated with Claude Code

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

escapeboy and others added 2 commits April 29, 2026 15:41

feat(post1-T-4.3): mTLS OCSP stapling on 0.7.x

befb97c

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

style: cargo fmt

e219f84

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

escapeboy merged commit 032a012 into 0.7.x Apr 29, 2026