Hello,
On 21/07/2023 11:51, Jarno Huuskonen wrote:
Hi,
On Thu, 2023-07-20 at 20:27 +0200, Sander Klein wrote:
The best thing to do is to test with `openssl s_client -showcerts
-connect some.hostname.nl:443` with both your versions to identify what
changed.
I've tested with 'openssl s_client -showcerts -connect mydomain.com:443
-servername mydomain.com -status -tlsextdebug''
Does 2.8.1 send ocsp response if you connect with ipv4 address:
openssl s_client -showcerts -connect ipaddress:443 ...
(with or without -servername)
On 2.6.14 I get an OCSP response, on 2.8.1 I get:
"OCSP response: no response sent"
It really looks like HAProxy doesn't want to send the response coming
from the file. Is there any more information I can gather?
I get the same result as Sander (2.6.x sends ocsp and 2.8.1 doesn't). I've
ipv4 and ipv6 binds and for ipv4 connection haproxy(2.8.1) sends ocsp and
for ipv6 it doesn't.
bind ipv4@:443 name v4ssl ssl crt-list /etc/haproxy/ssl/example.crtlist
bind ipv6@:::443 name v6ssl ssl crt-list /etc/haproxy/ssl/example.crtlist
(And example.crtlist:
/etc/haproxy/ssl/somecertfile.pem.ecdsa [alpn h2,http/1.1]
)
(and somecertfile.pem.ecdsa.ocsp in /etc/haproxy/ssl)
If I change the order of ipv4 / ipv6 binds (so bind ipv6@:::443 name
v6ssl... is first) then haproxy(2.8.1) sends ocsp with ipv6 connection and
not with ipv4.
Thanks for the extra info, I seem to have a reproducer. I'll look into
it and hopefully fixing it will fix Sander's issue as well.
RĂ©mi
