On 2023-07-20 11:14, William Lallemand wrote:
On Thu, Jul 20, 2023 at 10:23:21AM +0200, Sander Klein wrote:
On 2023-07-19 11:00, William Lallemand wrote:
"show ssl ocsp-resonse" gives me a lot of output like:
Certificate ID key : *LONGID*
Certificate path : /parth/to/cert.pem
Certificate ID:
Issuer Name Hash: *HASH*
Issuer Key Hash: *ANOTHERHASH*
Serial Number: *SERIAL*
You should check with the path argument so it gives you the date and
status.
Okay, so, on HAProxy 2.8.1 with the path argument I get a correct
response:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = R3
Produced At: Jul 18 07:22:00 2023 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
Serial Number: 0323CDB93D804581B31A8D0CB737AD57728D
Cert Status: good
This Update: Jul 18 07:00:00 2023 GMT
Next Update: Jul 25 06:59:58 2023 GMT
Signature Algorithm: sha256WithRSAEncryption
37:d6:5a:2a:f8:b6:36:a7:5b:b8:1a:7b:24:39:a4:33:61:b7:
68:85:50:bf:5f:cd:e7:17:1b:9b:cb:c5:fa:31:60:ad:96:71:
f3:39:aa:09:f1:d2:5f:fa:d1:29:a6:3e:27:75:b7:f4:68:7b:
83:d1:00:7d:e5:52:63:52:56:0f:a3:9c:1c:49:92:1b:a9:6a:
f5:3d:0a:e0:73:8d:ed:89:4b:19:b9:ad:17:7d:ca:f3:bc:3e:
6d:5f:7c:37:95:f2:50:2f:a2:ed:14:e4:eb:15:dd:7b:eb:93:
0e:17:62:cb:14:6b:1c:41:6a:07:ba:9b:58:33:c0:5b:5d:32:
c3:f6:ad:c7:a7:42:b7:a2:6e:f0:fd:8c:94:d0:e4:87:bf:fa:
9c:79:19:fd:54:d8:40:2a:71:6d:9b:f4:1f:42:78:fa:d1:5c:
ac:66:46:c6:2e:59:a3:b1:f1:42:3b:e8:91:6a:85:1d:eb:7d:
12:da:0f:35:8f:99:50:13:fa:91:08:25:a9:83:f0:c2:a9:d3:
71:f2:85:5f:3e:65:0e:93:ab:d0:39:89:49:b7:02:01:56:de:
e9:2d:4c:17:e4:58:a2:ea:b0:d0:66:74:a5:ac:91:2e:4f:e0:
1f:bf:f8:b9:ac:99:32:17:94:9a:0a:ac:e6:78:d9:73:9a:01:
f2:1d:75:82
Jul 20 10:14:30 some.hostname.nl haproxy[452783]: x.x.x.x:54404
[20/Jul/2023:10:14:30.375] cluster1-in/3: SSL handshake failure
(error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate)
This message could be a lot of things, a wrongly generated certificate,
unsupported signature algorithms, incorrect chain...
They are plain lets encrypt certificates created with acme.sh and with
ocsp must-staple enabled. Moreover, they work in 2.6.14.
Downgrading to 2.6.14 fixes it again.
I don't see why it would change like this, did you change the openssl
version linked to haproxy? Recent distribution restrained some old
algorithms and that could be a problem. We didn't changed much things
in
the loading between 2.6 and 2.8 so I'm not seeing why the behavior
changed.
The packages I use are the Debian 11 packages from Vincent Bernat.
Looking at the ldd output, nothing has changed. Also no libraries are
changed/upgraded when HAProxy is upgraded.
The best thing to do is to test with `openssl s_client -showcerts
-connect some.hostname.nl:443` with both your versions to identify what
changed.
I've tested with 'openssl s_client -showcerts -connect mydomain.com:443
-servername mydomain.com -status -tlsextdebug''
On 2.6.14 I get an OCSP response, on 2.8.1 I get:
"OCSP response: no response sent"
It really looks like HAProxy doesn't want to send the response coming
from the file. Is there any more information I can gather?
Regards,
Sander
