subject:"OCSP stapling with multiple domains"

OCSP stapling with multiple domains

2018-11-10 Thread Igor Cicimov

Hi,

# haproxy -v
HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23
Copyright 2000-2018 Willy Tarreau 

I noticed that in case of multiple domains and OCSP setup:

# ls -1 /etc/haproxy/ssl.d/*.ocsp
/etc/haproxy/ssl.d/star_domain2_com.crt.ocsp
/etc/haproxy/ssl.d/star_domain_com.crt.ocsp
/etc/haproxy/ssl.d/star_domain3_com.crt.ocsp
/etc/haproxy/ssl.d/star_domain4_com.crt.ocsp

I get OCSP response from haproxy only for one of the domains
domain.com. Tested via:

$ echo | openssl s_client -connect domain[234].com:443 -tlsextdebug
-status -servername domain[234].com

Is this expected?

Re: OCSP stapling with multiple domains

2018-11-13 Thread Igor Cicimov

On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov 
wrote:

> Hi,
>
> # haproxy -v
> HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23
> Copyright 2000-2018 Willy Tarreau 
>
> I noticed that in case of multiple domains and OCSP setup:
>
> # ls -1 /etc/haproxy/ssl.d/*.ocsp
> /etc/haproxy/ssl.d/star_domain2_com.crt.ocsp
> /etc/haproxy/ssl.d/star_domain_com.crt.ocsp
> /etc/haproxy/ssl.d/star_domain3_com.crt.ocsp
> /etc/haproxy/ssl.d/star_domain4_com.crt.ocsp
>
> I get OCSP response from haproxy only for one of the domains
> domain.com. Tested via:
>
> $ echo | openssl s_client -connect domain[234].com:443 -tlsextdebug
> -status -servername domain[234].com
>
> Is this expected?
>

Any comments/ideas regarding this? Further noticed that OCSP code probably
does not check the certificates SANs and matches only based on the CN in
the subject since the calls to whatever.domain.tld get stapled but to
domain.tld do not.

Re: OCSP stapling with multiple domains

2018-11-26 Thread Moemen MHEDHBI


On 11/14/18 1:34 AM, Igor Cicimov wrote:
> On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov
>  > wrote:
>
> Hi,
>
> # haproxy -v
> HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23
> Copyright 2000-2018 Willy Tarreau  >
>
> I noticed that in case of multiple domains and OCSP setup:
>
> # ls -1 /etc/haproxy/ssl.d/*.ocsp
> /etc/haproxy/ssl.d/star_domain2_com.crt.ocsp
> /etc/haproxy/ssl.d/star_domain_com.crt.ocsp
> /etc/haproxy/ssl.d/star_domain3_com.crt.ocsp
> /etc/haproxy/ssl.d/star_domain4_com.crt.ocsp
>
> I get OCSP response from haproxy only for one of the domains
> domain.com . Tested via:
>
> $ echo | openssl s_client -connect domain[234].com:443 -tlsextdebug
> -status -servername domain[234].com
>
> Is this expected?
>
>
> Any comments/ideas regarding this? Further noticed that OCSP code
> probably does not check the certificates SANs and matches only based
> on the CN in the subject since the calls to whatever.domain.tld get
> stapled but to domain.tld do not.
>
Hi Igor,

Testing OCSP on multiple certificates with different domains (based on
the CN) works correctly for me. (a.domain.com, b.domain.com, c.domain.com)

Are you using multiple certs with same CN but different SANs ?

-- 
Moemen MHEDHBI

Re: OCSP stapling with multiple domains

2018-11-26 Thread Igor Cicimov

Hi Moemen,

On Tue, Nov 27, 2018 at 1:24 AM Moemen MHEDHBI  wrote:
>
>
> On 11/14/18 1:34 AM, Igor Cicimov wrote:
>
> On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov  
> wrote:
>>
>> Hi,
>>
>> # haproxy -v
>> HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23
>> Copyright 2000-2018 Willy Tarreau 
>>
>> I noticed that in case of multiple domains and OCSP setup:
>>
>> # ls -1 /etc/haproxy/ssl.d/*.ocsp
>> /etc/haproxy/ssl.d/star_domain2_com.crt.ocsp
>> /etc/haproxy/ssl.d/star_domain_com.crt.ocsp
>> /etc/haproxy/ssl.d/star_domain3_com.crt.ocsp
>> /etc/haproxy/ssl.d/star_domain4_com.crt.ocsp
>>
>> I get OCSP response from haproxy only for one of the domains
>> domain.com. Tested via:
>>
>> $ echo | openssl s_client -connect domain[234].com:443 -tlsextdebug
>> -status -servername domain[234].com
>>
>> Is this expected?
>
>
> Any comments/ideas regarding this? Further noticed that OCSP code probably 
> does not check the certificates SANs and matches only based on the CN in the 
> subject since the calls to whatever.domain.tld get stapled but to domain.tld 
> do not.
>
> Hi Igor,
>
> Testing OCSP on multiple certificates with different domains (based on the 
> CN) works correctly for me. (a.domain.com, b.domain.com, c.domain.com)
>
> Are you using multiple certs with same CN but different SANs ?

The certificates belong to completely separate domains, so not
subdomains of the same domain like in your case. They are also
wildcard certs so here is the layout:

# ls -1 /etc/haproxy/ssl.d/
star_domain1_com.crt
star_domain1_com.crt.ocsp
star_domain2_com.crt
star_domain2_com.crt.ocsp
star_domain3_com.crt
star_domain3_com.crt.ocsp

# for i in `ls -1 /etc/haproxy/ssl.d/*.crt`; do openssl x509 -noout
-subject -in $i; done
subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com
subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain2.com
subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain3.com

The SAN only contains the certificates domain and nothing else, for
example for domain3.com:

X509v3 Subject Alternative Name:
DNS:*.domain3.com, DNS:domain3.com

The haproxy bind line in the frontend looks like:

 bind *:443 ssl crt /etc/haproxy/ssl.d/ ...

And here is the output of the daily cronjob that updates the OCSP for haproxy:

Date: Mon, 26 Nov 2018 05:00:01 + (GMT)

/etc/haproxy/ssl.d/star_domain1_com.crt: good
This Update: Nov 25 17:39:11 2018 GMT
Next Update: Dec  2 16:54:11 2018 GMT
OCSP Response updated!
/etc/haproxy/ssl.d/star_domain2_com.crt: good
This Update: Nov 24 20:49:57 2018 GMT
Next Update: Dec  1 20:04:57 2018 GMT
OCSP Response updated!
/etc/haproxy/ssl.d/star_domain3_com.crt: good
This Update: Nov 25 14:09:00 2018 GMT
Next Update: Dec  2 13:24:00 2018 GMT
OCSP Response updated!

I can confirm this is working as intended on other serves I have with
1.7.11 and 1.8.14, so it must be something specific to this one that I
struggle to understand (to be even more confusing it is all being
setup by Ansible in same way as everywhere else).

Under what circumstances would a setup like this not work in terms of
OCSP? Example:

$ echo | openssl s_client -connect server:443 -tlsextdebug -status
-servername domain1.com | grep -E 'OCSP|domain1'
depth=0 C = AU, ST = New South Wales, L = Sydney, O = My Company, CN =
*.domain1.com
verify return:1
DONE
OCSP response: no response sent
 0 s:/C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com
subject=/C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com

Thanks for your input by the way, very much appreciated.

Re: OCSP stapling with multiple domains

2018-11-28 Thread Moemen MHEDHBI

@list: sorry for the incorrect subject in my previous answer. At some
point the subject changed when email was saved and encrypted in Drafts.

On 28/11/2018 18:59, Moemen MHEDHBI wrote:
> Hi Igor,
>
> On 11/27/18 12:48 AM, Igor Cicimov wrote:
>> Hi Moemen,
>>
>> On Tue, Nov 27, 2018 at 1:24 AM Moemen MHEDHBI  wrote:
>>> On 11/14/18 1:34 AM, Igor Cicimov wrote:
>>>
>>> On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov 
>>>  wrote:
 Hi,

 # haproxy -v
 HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23
 Copyright 2000-2018 Willy Tarreau 

 I noticed that in case of multiple domains and OCSP setup:

 # ls -1 /etc/haproxy/ssl.d/*.ocsp
 /etc/haproxy/ssl.d/star_domain2_com.crt.ocsp
 /etc/haproxy/ssl.d/star_domain_com.crt.ocsp
 /etc/haproxy/ssl.d/star_domain3_com.crt.ocsp
 /etc/haproxy/ssl.d/star_domain4_com.crt.ocsp

 I get OCSP response from haproxy only for one of the domains
 domain.com. Tested via:

 $ echo | openssl s_client -connect domain[234].com:443 -tlsextdebug
 -status -servername domain[234].com

 Is this expected?
>>> Any comments/ideas regarding this? Further noticed that OCSP code probably 
>>> does not check the certificates SANs and matches only based on the CN in 
>>> the subject since the calls to whatever.domain.tld get stapled but to 
>>> domain.tld do not.
>>>
>>> Hi Igor,
>>>
>>> Testing OCSP on multiple certificates with different domains (based on the 
>>> CN) works correctly for me. (a.domain.com, b.domain.com, c.domain.com)
>>>
>>> Are you using multiple certs with same CN but different SANs ?
>> The certificates belong to completely separate domains, so not
>> subdomains of the same domain like in your case. They are also
>> wildcard certs so here is the layout:
>>
>> # ls -1 /etc/haproxy/ssl.d/
>> star_domain1_com.crt
>> star_domain1_com.crt.ocsp
>> star_domain2_com.crt
>> star_domain2_com.crt.ocsp
>> star_domain3_com.crt
>> star_domain3_com.crt.ocsp
>>
>> # for i in `ls -1 /etc/haproxy/ssl.d/*.crt`; do openssl x509 -noout
>> -subject -in $i; done
>> subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com
>> subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain2.com
>> subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain3.com
>>
>> The SAN only contains the certificates domain and nothing else, for
>> example for domain3.com:
>>
>> X509v3 Subject Alternative Name:
>> DNS:*.domain3.com, DNS:domain3.com
>>
>> The haproxy bind line in the frontend looks like:
>>
>>  bind *:443 ssl crt /etc/haproxy/ssl.d/ ...
>>
>> And here is the output of the daily cronjob that updates the OCSP for 
>> haproxy:
>>
>> Date: Mon, 26 Nov 2018 05:00:01 + (GMT)
>>
>> /etc/haproxy/ssl.d/star_domain1_com.crt: good
>> This Update: Nov 25 17:39:11 2018 GMT
>> Next Update: Dec  2 16:54:11 2018 GMT
>> OCSP Response updated!
>> /etc/haproxy/ssl.d/star_domain2_com.crt: good
>> This Update: Nov 24 20:49:57 2018 GMT
>> Next Update: Dec  1 20:04:57 2018 GMT
>> OCSP Response updated!
>> /etc/haproxy/ssl.d/star_domain3_com.crt: good
>> This Update: Nov 25 14:09:00 2018 GMT
>> Next Update: Dec  2 13:24:00 2018 GMT
>> OCSP Response updated!
>>
>> I can confirm this is working as intended on other serves I have with
>> 1.7.11 and 1.8.14, so it must be something specific to this one that I
>> struggle to understand (to be even more confusing it is all being
>> setup by Ansible in same way as everywhere else).
>>
>> Under what circumstances would a setup like this not work in terms of
>> OCSP? Example:
>>
>> $ echo | openssl s_client -connect server:443 -tlsextdebug -status
>> -servername domain1.com | grep -E 'OCSP|domain1'
>> depth=0 C = AU, ST = New South Wales, L = Sydney, O = My Company, CN =
>> *.domain1.com
>> verify return:1
>> DONE
>> OCSP response: no response sent
>>  0 s:/C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com
>> subject=/C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com
>>
>> Thanks for your input by the way, very much appreciated.
>
> If I am understanding this correctly when you use the naked domain
> 'domain1.com', you don't get an OCSP response (despite mentioning the
> domain in the SAN extension).
>
> Is this the case for all the domains or only one of them ? I am asking
> this since you're mentioning multiple domains.
>
> I was testing the same config with HA-Proxy version 1.8.14 2018/09/20
> without being able to reproduce this.
>
> $ echo quit | openssl s_client -connect localhost:443 -servername
> 'example.org' -status | egrep 'OCSP|example'
> OCSP response:
> OCSP Response Data:
>     OCSP Response Status: successful (0x0)
>     Response Type: Basic OCSP Response
>     OCSP Nonce:
> subject=/C=FR/ST=PARIS/O=MMH/OU=server/CN=*.example.org
>
> I only get " no response sent" when the "naked" domain is not mentioned
> in the SAN which is expected. 
>
>
>> I can c

OCSP stapling with multiple domains

Re: OCSP stapling with multiple domains

Re: OCSP stapling with multiple domains

Re: OCSP stapling with multiple domains

Re: OCSP stapling with multiple domains

5 matches

Site Navigation

Mail list logo

Footer information