Hi,

On Mon, 20 Jul 2015 11:50:50 +0200,
Marc-Antoine <marc-antoine.b...@ovh.net> wrote :

> Hi Lukas,
> 
> frontend cluster:443
>     bind 1.2.3.4:443 ssl strict-sni crt /home/provisionning/0.pem crt 
> /home/provisionning/cluster.d
>     default_backend cluster
>     capture request header Host len 255

using this conf i made some tests. here is /home/provisionning content case and 
result :

---

1)

./0.pem.ocsp
./0.pem
./0.pem.issuer
./cluster.d/8640.pem.ocsp
./cluster.d/8640.pem.issuer
./cluster.d/8485.pem.ocsp
./cluster.d/8485.pem.issuer
./cluster.d/8485.pem
./cluster.d/8640.pem

=> ocsp stapling is working for all certs

2)

./0.pem.ocsp
./0.pem
./0.pem.issuer
./cluster.d/8485.pem.ocsp
./cluster.d/8485.pem.issuer
./cluster.d/8485.pem
./cluster.d/8640.pem

=> ocsp stapling is working for 0 and 8485 certs and broken for 8640 cert

3)

./0.pem.ocsp
./0.pem
./0.pem.issuer
./cluster.d/8640.pem.ocsp
./cluster.d/8640.pem.issuer
./cluster.d/8485.pem
./cluster.d/8640.pem

=> ocsp stapling is working 0 and 8640 certs and broken for 8485 cert

4)

./0.pem
./cluster.d/8640.pem.ocsp
./cluster.d/8640.pem.issuer
./cluster.d/8485.pem.ocsp
./cluster.d/8485.pem.issuer
./cluster.d/8485.pem
./cluster.d/8640.pem

=> ocsp stapling is broken for all certs

---

is that a normal behavior ? i think ocsp stapling should work for 8485 and 8640 
certs in case 4.

Regards,

> 
> ---
> 
> HA-Proxy version 1.5.8 2014/10/31
> Copyright 2000-2014 Willy Tarreau <w...@1wt.eu>
> 
> Build options :
>   TARGET  = linux2628
>   CPU     = generic
>   CC      = gcc
>   CFLAGS  = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat 
> -Werror=format-security -D_FORTIFY_SOURCE=2
>   OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1
> 
> Default settings :
>   maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
> 
> Encrypted password support via crypt(3): yes
> Built with zlib version : 1.2.7
> Compression algorithms supported : identity, deflate, gzip
> Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
> Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
> OpenSSL library supports TLS extensions : yes
> OpenSSL library supports SNI : yes
> OpenSSL library supports prefer-server-ciphers : yes
> Built with PCRE version : 8.30 2012-02-04
> PCRE library supports JIT : no (USE_PCRE_JIT not set)
> Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
> IP_FREEBIND
> 
> Available polling systems :
>       epoll : pref=300,  test result OK
>        poll : pref=200,  test result OK
>      select : pref=150,  test result OK
> Total: 3 (3 usable), will use epoll.
> 
> ---
> 
> If ocsp file is too old or empty for example, i got warning.
> 
> Regards,
> 
> On Fri, 17 Jul 2015 21:50:34 +0200,
> Lukas Tribus <luky...@hotmail.com> wrote :
> 
> > Hi Marc,
> > 
> > 
> > 
> > > Hi all,
> > >
> > > I have some problem making ocsp stapling working. here is what i did :
> > >
> > > I have 8150.pem with chain, cert and key in it.
> > >
> > > I have 8150.pem.ocsp that seems ok :
> > >
> > > # openssl ocsp -respin 8150.pem.ocsp -text -CAfile alphassl256.chain
> > > OCSP Response Data:
> > > OCSP Response Status: successful (0x0)
> > > Response Type: Basic OCSP Response
> > > Version: 1 (0x0)
> > > Responder Id: 9F10D9EDA5260B71A677124526751E17DC85A62F
> > > Produced At: Jul 9 09:47:04 2015 GMT
> > > Responses:
> > > Certificate ID:
> > > Hash Algorithm: sha1
> > > Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
> > > Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
> > > Serial Number: 11216784E7CA1813F3AD922B60EAF6428EE0
> > > Cert Status: good
> > > This Update: Jul 9 09:47:04 2015 GMT
> > > Next Update: Jul 9 21:47:04 2015 GMT
> > >
> > > No error/warn at haproxy launching but not sure haproxy is loading .ocsp 
> > > file because no notice in log.
> > >
> > > But nothing in tlsextdebug :
> > >
> > > echo Q | openssl s_client -connect www.beluc.fr:443 -servername 
> > > www.beluc.fr -tlsextdebug -status -CApath /etc/ssl/certs
> > > [...]
> > > OCSP response: no response sent
> > > [...]
> > >
> > > Do you see smth wrong ? What can i do in order to debug?
> > 
> > Can you provide the output of "haproxy -vv" please and a
> > config snippet (the frontend ssl configuration)?
> > 
> > Do you see a warning if 8150.pem.ocsp contains garbage when you restart
> > haproxy?
> > 
> > 
> > 
> > Regards,
> > 
> > Lukas
> > 
> > 
> >                                       
> 
> 


-- 
Marc-Antoine

Reply via email to