Hi guys, On Thu, Dec 10, 2015 at 09:29:57PM +0100, Janusz Dziemidowicz wrote: > 2015-12-10 21:14 GMT+01:00 Dave Zhu (yanbzhu) <[email protected]>: > > Finished OCSP portion. It???s in patch 5 > > > > OCSP staple files will have to be in the same format: haproxy.pem.rsa.ocsp > > and haproxy.pem.ecdsa.ocsp. They will get picked up when you load > > haproxy.pem in any of the supported methods. > > > > This patch is slightly bigger, as there was some refactoring that had to > > be done to support multi-cert SSL_CTX???s. > > > > The only remaining piece would be SCTL support, and I have no experience > > with that. Someone else will have to step in to add that functionality. > > I haven't been following this thread closely, but SCTL should be very > similar to OCSP. SCTL stands for signed certificate timestamp list and > is just a simple list of signatures from Certificate Transparency > logs. This is just a binary blob tied to a given certificate. If the > client includes CT extension, then the server should locate apropriate > SCTL (haproxy.pem.rsa.sctl or haproxy.pem.ecdsa.sctl) and include it > in its initial reply. That's all. > > I'll try to take a look at the patch set in the following weekend if I > find some time.
I wanted to let you know that I've just merged Dave's work now. Janusz, just rebase on latest master, that'll make your work easier. Dave, please don't forget to update the documentation :-) Thanks to all reviewers and testers, that was pretty efficient! Willy
