feat: add OCSP peer verification and stapling support

Wire OcspPeerVerify into the client-cert validation callback in TlsHelper so revocation is checked online when the flag is set. Add TlsHelper.BuildCertificateContext to build an SslStreamCertificateContext with offline:false, enabling the runtime to fetch and staple OCSP responses during the TLS handshake. NatsServer applies the context at startup when OcspConfig.Mode is not Never. Ten unit tests cover the config defaults, mode ordinals, and the null-return invariants of BuildCertificateContext.
2026-02-23 04:38:01 -05:00
parent d69308600a
commit 39a1383de2
3 changed files with 146 additions and 1 deletions
--- a/src/NATS.Server/NatsServer.cs
+++ b/src/NATS.Server/NatsServer.cs
@@ -276,6 +276,19 @@ public sealed class NatsServer : IMessageRouter, ISubListAccess, IDisposable
        if (options.HasTls)
        {
            _sslOptions = TlsHelper.BuildServerAuthOptions(options);
+
+            // OCSP stapling: build a certificate context so the runtime can
+            // fetch and cache a fresh OCSP response and staple it during the
+            // TLS handshake.  offline:false tells the runtime to contact the
+            // OCSP responder; if the responder is unreachable we fall back to
+            // no stapling rather than refusing all connections.
+            var certContext = TlsHelper.BuildCertificateContext(options, offline: false);
+            if (certContext != null)
+            {
+                _sslOptions.ServerCertificateContext = certContext;
+                _logger.LogInformation("OCSP stapling enabled (mode: {OcspMode})", options.OcspConfig!.Mode);
+            }
+
            _serverInfo.TlsRequired = !options.AllowNonTls;
            _serverInfo.TlsAvailable = options.AllowNonTls;
            _serverInfo.TlsVerify = options.TlsVerify;