OCSP update mechanism startup

Thu, 06 Jul 2023 04:24:52 -0700 

Hello,
I'm trying to make use of the new ocsp-update mechanism, and finding no success (yet). 


I've migrated my crt bind arguments to a crt-list argument (+ relevant 
file) and that loads in and gets used fine, but despite having 
"ocsp-update on" on the lines, I'm not seeing any ocsp update being 
triggered (and naturally there are no ocsp responses being returned).


Relevant outputs:

$ echo "show ssl crt-list" | socat - /var/run/haproxy/admin.sock
/etc/haproxy/ssl/crtlist-mdex-public-direct.conf
...


$ echo "show ssl crt-list 
/etc/haproxy/ssl/crtlist-mdex-public-direct.conf" | socat - 
/var/run/haproxy/admin.sock

/etc/haproxy/ssl/mangadex.dev.pem ocsp-update on mangadex.dev *.mangadex.dev

$ echo "show ssl ocsp-updates" | socat - /var/run/haproxy/admin.sock

OCSP Certid | Path | Next Update | Last Update | Successes | Failures | 
Last Update Status | Last Update Status (str)



One potential hint I find is when using "update ssl ocsp-response 
<certfile>":
$ echo "update ssl ocsp-response /etc/haproxy/ssl/mangadex.dev.pem" | 
socat - /var/run/haproxy/admin.sock
'update ssl ocsp-response' only works on certificates that already have 
a known OCSP response.

Can't send ocsp request for /etc/haproxy/ssl/mangadex.dev.pem!

And indeed, the (cli command) docs mention:
> This command will only work for certificates
that already had a stored OCSP response, either because it was provided
during init or if it was previously set through the "set ssl cert" or "set
ssl ocsp-response" commands

So then:

- does the ocsp-update feature also require an initial OCSP response to 
start at all, like the cli command?

- if so, why? (and we should get that documented on the ocsp-update flag)
- does the OCSP update mechanism update the files on-disk?

- if not, what happens if upon restart/reload of HAProxy the .ocsp file 
is outdated? will HAProxy aggressively try to get an up-to-date response 
before starting its listeners or will I be risking ssl issues by 
enabling OCSP must-staple with it?



(Probably not super relevant, but this is with HAProxy 2.8.1 and QuicTLS 
1.1.1t)


Thanks in advance,
Tristan























					Reply via email to