On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov <ig...@encompasscorporation.com> wrote:
> Hi, > > # haproxy -v > HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23 > Copyright 2000-2018 Willy Tarreau <wi...@haproxy.org> > > I noticed that in case of multiple domains and OCSP setup: > > # ls -1 /etc/haproxy/ssl.d/*.ocsp > /etc/haproxy/ssl.d/star_domain2_com.crt.ocsp > /etc/haproxy/ssl.d/star_domain_com.crt.ocsp > /etc/haproxy/ssl.d/star_domain3_com.crt.ocsp > /etc/haproxy/ssl.d/star_domain4_com.crt.ocsp > > I get OCSP response from haproxy only for one of the domains > domain.com. Tested via: > > $ echo | openssl s_client -connect domain[234].com:443 -tlsextdebug > -status -servername domain[234].com > > Is this expected? > Any comments/ideas regarding this? Further noticed that OCSP code probably does not check the certificates SANs and matches only based on the CN in the subject since the calls to whatever.domain.tld get stapled but to domain.tld do not.