I'm actually implementing OCSP stapling on my haproxy instance.

It seems we can update ocsp (with set ssl ocsp-response on socket) only if
a previous OCSP record exist.

For example :
Case #1
- start haproxy without any ocsp file
- set ssl ocsp-response $(base64 file.ocsp)
OCSP single response: Certificate ID does not match any certificate or

Case #2
- start haproxy with ocsp file
- set ssl ocsp-response [ with same OCSP response file ]
=> "OCSP Response updated!"

Is this an expected behaviour ?


Reply via email to