Re: OCSP update mechanism startup

Fri, 07 Jul 2023 08:43:37 -0700 


On 07/07/2023 16:34, Willy Tarreau wrote:

On Fri, Jul 07, 2023 at 03:06:52PM +0000, Tristan wrote:

The ocsp-update option should be between brackets
/etc/haproxy/ssl/mangadex.dev.pem [ocsp-update on] mangadex.dev
*.mangadex.dev


Oh that makes more sense indeed; should have guessed so since other crt-list
bind params used those indeed...


I think that we should at least emit a warning when domain names not
containing any dot are found, because IIRC these are not valid for
SNI anyway thus there should be no valid reason that an option name
is accepted as a server name.



As an aside, I found the doc relating to preserving bind's strict-sni 
behaviour to be a little bit unclear.



Indeed, I first tried just keeping strict-sni on the bind line, with no 
explicit SNIs filters specified on certificate lines, and that caused 
SSL failures.


And it wasn't serving a default cert but rather just failing the SSL conns.


My uneducated guess is that crt-list just doesn't take into account the 
bind line's strict-sni in such cases, or doesn't extract CNs/SANs. But 
the doc explicitly says that CNs/SANs are taken into account, so I 
assume the former. That's just my uneducated guess anyway.


After a bit of trial-and-error I found out that a working combination was:
1. strict-sni on the bind line
2. explicit sni filters on cert lines in the crt-list


Tho I'd bet that in this case only 2. does anything, and 1. isn't really 
doing anything anymore.



Also personally I have never understood the point of default server 
certs... besides getting unwanted attention from censys/shodan/etc...



Hmm, I understand why it was decided to go that route, and indeed that is
probably not too too hard to do... Though I can't help wonder if an opt-in
mechanism similar to the server state file would make sense for it?


I seem to remember that it's possible to issue a "show ocsp" on the CLI
and direct it to a file, but I could be wrong. That's the same way the
server-state works by the way.



I'll take a look at it, though the main advantage would be to keep it 
all in HAProxy and to avoid dirty cron jobs. But I appreciate that's me 
asking for HAProxy to do everything and more beyond its job... :)


Tristan























					Reply via email to