I've done a Qualys Labs SSL test against my setup fronted with haproxy,
using this URL:
https://www.ssllabs.com/ssltest/index.html
I thought I had OCSP stapling correctly configured, but Qualys says it's
not there. I ave a cronjob that uses openssl to retrieve the .ocsp file
for each certificate:
-rw------- 1 root root 6151 May 31 14:47 wildcard.stg.REDACTED.com.pem
-rw-r--r-- 1 root root 1609 Jun 2 10:17 wildcard.stg.rEDACTED.com.pem.ocsp
As far as I knew, there was nothing special required in the haproxy
config. How can I troubleshoot this, and is there something I've done
wrong? Here's the haproxy -vv output:
HA-Proxy version 1.5.12 2015/05/02
Copyright 2000-2015 Willy Tarreau <w...@1wt.eu>
Build options :
TARGET = linux2628
CPU = native
CC = gcc
CFLAGS = -O2 -march=native -g -fno-strict-aliasing
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.2a 19 Mar 2015
Running on OpenSSL version : OpenSSL 1.0.2a 19 Mar 2015
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.31 2012-07-06
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Thanks,
Shawn