Hi, On Mon, 20 Jul 2015 11:50:50 +0200, Marc-Antoine <marc-antoine.b...@ovh.net> wrote :
> Hi Lukas, > > frontend cluster:443 > bind 1.2.3.4:443 ssl strict-sni crt /home/provisionning/0.pem crt > /home/provisionning/cluster.d > default_backend cluster > capture request header Host len 255 using this conf i made some tests. here is /home/provisionning content case and result : --- 1) ./0.pem.ocsp ./0.pem ./0.pem.issuer ./cluster.d/8640.pem.ocsp ./cluster.d/8640.pem.issuer ./cluster.d/8485.pem.ocsp ./cluster.d/8485.pem.issuer ./cluster.d/8485.pem ./cluster.d/8640.pem => ocsp stapling is working for all certs 2) ./0.pem.ocsp ./0.pem ./0.pem.issuer ./cluster.d/8485.pem.ocsp ./cluster.d/8485.pem.issuer ./cluster.d/8485.pem ./cluster.d/8640.pem => ocsp stapling is working for 0 and 8485 certs and broken for 8640 cert 3) ./0.pem.ocsp ./0.pem ./0.pem.issuer ./cluster.d/8640.pem.ocsp ./cluster.d/8640.pem.issuer ./cluster.d/8485.pem ./cluster.d/8640.pem => ocsp stapling is working 0 and 8640 certs and broken for 8485 cert 4) ./0.pem ./cluster.d/8640.pem.ocsp ./cluster.d/8640.pem.issuer ./cluster.d/8485.pem.ocsp ./cluster.d/8485.pem.issuer ./cluster.d/8485.pem ./cluster.d/8640.pem => ocsp stapling is broken for all certs --- is that a normal behavior ? i think ocsp stapling should work for 8485 and 8640 certs in case 4. Regards, > > --- > > HA-Proxy version 1.5.8 2014/10/31 > Copyright 2000-2014 Willy Tarreau <w...@1wt.eu> > > Build options : > TARGET = linux2628 > CPU = generic > CC = gcc > CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat > -Werror=format-security -D_FORTIFY_SOURCE=2 > OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 > > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 > > Encrypted password support via crypt(3): yes > Built with zlib version : 1.2.7 > Compression algorithms supported : identity, deflate, gzip > Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 > Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > Built with PCRE version : 8.30 2012-02-04 > PCRE library supports JIT : no (USE_PCRE_JIT not set) > Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT > IP_FREEBIND > > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > --- > > If ocsp file is too old or empty for example, i got warning. > > Regards, > > On Fri, 17 Jul 2015 21:50:34 +0200, > Lukas Tribus <luky...@hotmail.com> wrote : > > > Hi Marc, > > > > > > > > > Hi all, > > > > > > I have some problem making ocsp stapling working. here is what i did : > > > > > > I have 8150.pem with chain, cert and key in it. > > > > > > I have 8150.pem.ocsp that seems ok : > > > > > > # openssl ocsp -respin 8150.pem.ocsp -text -CAfile alphassl256.chain > > > OCSP Response Data: > > > OCSP Response Status: successful (0x0) > > > Response Type: Basic OCSP Response > > > Version: 1 (0x0) > > > Responder Id: 9F10D9EDA5260B71A677124526751E17DC85A62F > > > Produced At: Jul 9 09:47:04 2015 GMT > > > Responses: > > > Certificate ID: > > > Hash Algorithm: sha1 > > > Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761 > > > Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7 > > > Serial Number: 11216784E7CA1813F3AD922B60EAF6428EE0 > > > Cert Status: good > > > This Update: Jul 9 09:47:04 2015 GMT > > > Next Update: Jul 9 21:47:04 2015 GMT > > > > > > No error/warn at haproxy launching but not sure haproxy is loading .ocsp > > > file because no notice in log. > > > > > > But nothing in tlsextdebug : > > > > > > echo Q | openssl s_client -connect www.beluc.fr:443 -servername > > > www.beluc.fr -tlsextdebug -status -CApath /etc/ssl/certs > > > [...] > > > OCSP response: no response sent > > > [...] > > > > > > Do you see smth wrong ? What can i do in order to debug? > > > > Can you provide the output of "haproxy -vv" please and a > > config snippet (the frontend ssl configuration)? > > > > Do you see a warning if 8150.pem.ocsp contains garbage when you restart > > haproxy? > > > > > > > > Regards, > > > > Lukas > > > > > > > > -- Marc-Antoine