Hello to all,
i have trouble on getting a ocsp response from haproxy when i ask him
with openssl. I will be detailing bellow all the steps i have taken and
i get a 'OCSP Response updated!' when i pass the setting to the haproxy
socket
The version of the haproxy that i use is as follows:
===============================
*>**haproxy -vv*
HA-Proxy version 1.5.11 2015/01/31
Copyright 2000-2015 Willy Tarreau <[email protected]>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing
OPTIONS = USE_OPENSSL=1 USE_STATIC_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built without zlib support (USE_ZLIB not set)
Compression algorithms supported : identity
Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.31 2012-07-06
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
=====================================
In the haproxy.conf i have set the follwing directives in the global
section to enable the socket function with socat
* stats socket /var/run/haproxy.stat mode 600 level admin**
** stats timeout 2m*
the socket is working properly and i cat query it with success
In the certificate that i use (e.g.: mycertificate.crt.pem) the
structure is as follows
*-----BEGIN CERTIFICATE (public mycertificate.crt.pem)-----**
**-----END CERTIFICATE (public)-----**
**-----BEGIN CERTIFICATE (_chain 1_)-----**
**-----END CERTIFICATE (_chain 1_)-----**
**-----BEGIN CERTIFICATE (_chain 2_)-----**
**-----END CERTIFICATE (_chain 2_)-----**
**-----BEGIN RSA PRIVATE KEY (of mycertificate.crt.pem)-----**
**-----END RSA PRIVATE KEY (of mycertificate.crt.pem)-----**
**-----BEGIN DH PARAMETERS-----**
**-----END DH PARAMETERS-----**
***
The following script runs with cron every 5minutes and creates the .ocsp
file and passes it to the haproxy socket. The .issuer file contains the
previously mentioned *chain 1* and *chain 2 *certificates
*#!/bin/sh**
**SERVER_CERT_FILE=/etc/haproxy/certs/mycertificate.crt.pem**
**ROOT_CERT_FILE=${SERVER_CERT_FILE}.issuer**
**HAPROXY_SOCKET=/var/run/haproxy.stat**
**OCSP_URL=`/usr/bin/openssl x509 -in $SERVER_CERT_FILE -text | grep -i
ocsp | cut -d":" -f2-2,3`**
**OCSP_FILE=${SERVER_CERT_FILE}.ocsp**
**
**/usr/bin/openssl ocsp -noverify -issuer $ROOT_CERT_FILE -cert
$SERVER_CERT_FILE -url "$OCSP_URL" -no_nonce -header Host `echo
"$OCSP_URL" | cut -d"/" -f3` -respout $OCSP_FILE**
**echo "set ssl ocsp-response $(/usr/bin/base64 -w 10000 $OCSP_FILE)" |
socat $HAPROXY_SOCKET stdio**
*
Running the above script returns that all is OK and that ocsp response
was updated
*/etc/haproxy/certs/mycertificate.crt.pem: good**
** This Update: Apr 6 08:28:46 2015 GMT**
** Next Update: Apr 6 08:33:46 2015 GMT**
**OCSP Response updated!**
*
After all the configuration and having restarted haproxy when i run the
command
*openssl s_client -connect myservice_URL:443 -tls1 -tlsextdebug -status*
i still get:
*OCSP response: no response sent*
I tried also not to use the haproxy socket and just have the files .ocsp
and .issuer but with no luck. Any ideas on what is going wrong or what
to try next?
Thanks in advance! :)
--
Vassilis Tzimourtos
