2015-12-10 21:14 GMT+01:00 Dave Zhu (yanbzhu) <[email protected]>: > Finished OCSP portion. It’s in patch 5 > > OCSP staple files will have to be in the same format: haproxy.pem.rsa.ocsp > and haproxy.pem.ecdsa.ocsp. They will get picked up when you load > haproxy.pem in any of the supported methods. > > This patch is slightly bigger, as there was some refactoring that had to > be done to support multi-cert SSL_CTX’s. > > The only remaining piece would be SCTL support, and I have no experience > with that. Someone else will have to step in to add that functionality.
I haven't been following this thread closely, but SCTL should be very similar to OCSP. SCTL stands for signed certificate timestamp list and is just a simple list of signatures from Certificate Transparency logs. This is just a binary blob tied to a given certificate. If the client includes CT extension, then the server should locate apropriate SCTL (haproxy.pem.rsa.sctl or haproxy.pem.ecdsa.sctl) and include it in its initial reply. That's all. I'll try to take a look at the patch set in the following weekend if I find some time. -- Janusz Dziemidowicz
