Hi Lukas,
frontend cluster:443
bind 1.2.3.4:443 ssl strict-sni crt /home/provisionning/0.pem crt
/home/provisionning/cluster.d
default_backend cluster
capture request header Host len 255
---
HA-Proxy version 1.5.8 2014/10/31
Copyright 2000-2014 Willy Tarreau <[email protected]>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D_FORTIFY_SOURCE=2
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.30 2012-02-04
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
---
If ocsp file is too old or empty for example, i got warning.
Regards,
On Fri, 17 Jul 2015 21:50:34 +0200,
Lukas Tribus <[email protected]> wrote :
> Hi Marc,
>
>
>
> > Hi all,
> >
> > I have some problem making ocsp stapling working. here is what i did :
> >
> > I have 8150.pem with chain, cert and key in it.
> >
> > I have 8150.pem.ocsp that seems ok :
> >
> > # openssl ocsp -respin 8150.pem.ocsp -text -CAfile alphassl256.chain
> > OCSP Response Data:
> > OCSP Response Status: successful (0x0)
> > Response Type: Basic OCSP Response
> > Version: 1 (0x0)
> > Responder Id: 9F10D9EDA5260B71A677124526751E17DC85A62F
> > Produced At: Jul 9 09:47:04 2015 GMT
> > Responses:
> > Certificate ID:
> > Hash Algorithm: sha1
> > Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
> > Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
> > Serial Number: 11216784E7CA1813F3AD922B60EAF6428EE0
> > Cert Status: good
> > This Update: Jul 9 09:47:04 2015 GMT
> > Next Update: Jul 9 21:47:04 2015 GMT
> >
> > No error/warn at haproxy launching but not sure haproxy is loading .ocsp
> > file because no notice in log.
> >
> > But nothing in tlsextdebug :
> >
> > echo Q | openssl s_client -connect www.beluc.fr:443 -servername
> > www.beluc.fr -tlsextdebug -status -CApath /etc/ssl/certs
> > [...]
> > OCSP response: no response sent
> > [...]
> >
> > Do you see smth wrong ? What can i do in order to debug?
>
> Can you provide the output of "haproxy -vv" please and a
> config snippet (the frontend ssl configuration)?
>
> Do you see a warning if 8150.pem.ocsp contains garbage when you restart
> haproxy?
>
>
>
> Regards,
>
> Lukas
>
>
>
--
Marc-Antoine
