4 files changed, 45 insertions, 7 deletions

diff --git a/.travis.yml b/.travis.yml
index c7413ea9..343576fe 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,8 +1,11 @@
 sudo: false
+
 language: python
+
 cache:
     directories:
         - $HOME/.cache/pip
+
 matrix:
     include:
         - python: 2.6 # these are just to make travis's UI a bit prettier
@@ -67,42 +70,55 @@ matrix:
           env: TOXENV=py3pep8
         - language: generic
           os: osx
+          osx_image: beta-xcode6.3
           env: TOXENV=py26
         - language: generic
           os: osx
+          osx_image: beta-xcode6.3
           env: TOXENV=py27
         - language: generic
           os: osx
+          osx_image: beta-xcode6.3
           env: TOXENV=py33
         - language: generic
           os: osx
+          osx_image: beta-xcode6.3
           env: TOXENV=py34
         - language: generic
           os: osx
+          osx_image: beta-xcode6.3
           env: TOXENV=pypy
         - language: generic
           os: osx
+          osx_image: beta-xcode6.3
           env: TOXENV=pypy3
         - language: generic
           os: osx
+          osx_image: beta-xcode6.3
           env: TOXENV=py26 OPENSSL=0.9.8
         - language: generic
           os: osx
+          osx_image: beta-xcode6.3
           env: TOXENV=py27 OPENSSL=0.9.8
         - language: generic
           os: osx
+          osx_image: beta-xcode6.3
           env: TOXENV=py33 OPENSSL=0.9.8
         - language: generic
           os: osx
+          osx_image: beta-xcode6.3
           env: TOXENV=py34 OPENSSL=0.9.8
         - language: generic
           os: osx
+          osx_image: beta-xcode6.3
           env: TOXENV=pypy OPENSSL=0.9.8
         - language: generic
           os: osx
+          osx_image: beta-xcode6.3
           env: TOXENV=pypy3 OPENSSL=0.9.8
         - language: generic
           os: osx
+          osx_image: beta-xcode6.3
           env: TOXENV=docs
 
 install:
diff --git a/.travis/install.sh b/.travis/install.sh
index 9e14a92d..7c3e9de2 100755
--- a/.travis/install.sh
+++ b/.travis/install.sh
@@ -4,10 +4,10 @@ set -e
 set -x
 
 if [[ "$(uname -s)" == 'Darwin' ]]; then
-    brew update
+    brew update || brew update
 
     if [[ "${OPENSSL}" != "0.9.8" ]]; then
-        brew upgrade openssl
+        brew outdated openssl || brew upgrade openssl
     fi
 
     if which pyenv > /dev/null; then
@@ -24,22 +24,22 @@ if [[ "$(uname -s)" == 'Darwin' ]]; then
             python get-pip.py --user
             ;;
         py33)
-            brew upgrade pyenv
+            brew outdated pyenv || brew upgrade pyenv
             pyenv install 3.3.6
             pyenv global 3.3.6
             ;;
         py34)
-            brew upgrade pyenv
+            brew outdated pyenv || brew upgrade pyenv
             pyenv install 3.4.2
             pyenv global 3.4.2
             ;;
         pypy)
-            brew upgrade pyenv
+            brew outdated pyenv || brew upgrade pyenv
             pyenv install pypy-2.5.1
             pyenv global pypy-2.5.1
             ;;
         pypy3)
-            brew upgrade pyenv
+            brew outdated pyenv || brew upgrade pyenv
             pyenv install pypy3-2.4.0
             pyenv global pypy3-2.4.0
             ;;
@@ -49,7 +49,7 @@ if [[ "$(uname -s)" == 'Darwin' ]]; then
             ;;
     esac
     pyenv rehash
-    pip install --user virtualenv
+    python -m pip install --user virtualenv
 else
     pip install virtualenv
 fi
diff --git a/docs/x509.rst b/docs/x509.rst
index 8e762ef1..c8505a87 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -710,6 +710,19 @@ X.509 Extensions
     purposes indicated in the key usage extension. The object is
     iterable to obtain the list of :ref:`extended key usage OIDs <eku_oids>`.
 
+.. class:: OCSPNoCheck
+
+    .. versionadded:: 0.10
+
+    This presence of this extension indicates that an OCSP client can trust a
+    responder for the lifetime of the responder's certificate. CAs issuing
+    such a certificate should realize that a compromise of the responder's key
+    is as serious as the compromise of a CA key used to sign CRLs, at least for
+    the validity period of this certificate. CA's may choose to issue this type
+    of certificate with a very short lifetime and renew it frequently. This
+    extension is only relevant when the certificate is an authorized OCSP
+    responder.
+
 .. class:: AuthorityKeyIdentifier
 
     .. versionadded:: 0.9
@@ -1246,6 +1259,11 @@ Extension OIDs
     Corresponds to the dotted string ``"1.3.6.1.5.5.7.1.1"``. The identifier
     for the :class:`AuthorityInformationAccess` extension type.
 
+.. data:: OID_OCSP_NO_CHECK
+
+    Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.1.5"``. The identifier
+    for the :class:`OCSPNoCheck` extension type.
+
 Exceptions
 ~~~~~~~~~~
 
diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py
index c449b7ed..9a3295ce 100644
--- a/src/cryptography/x509.py
+++ b/src/cryptography/x509.py
@@ -320,6 +320,10 @@ class ExtendedKeyUsage(object):
         return not self == other
 
 
+class OCSPNoCheck(object):
+    pass
+
+
 class BasicConstraints(object):
     def __init__(self, ca, path_length):
         if not isinstance(ca, bool):