Hi Olivier, On Mon, Jan 23, 2017 at 08:31:13PM +0100, Olivier Doucet wrote: > Hello, > > I'm actually implementing OCSP stapling on my haproxy instance. > > It seems we can update ocsp (with set ssl ocsp-response on socket) only if > a previous OCSP record exist. > > For example : > Case #1 > - start haproxy without any ocsp file > - set ssl ocsp-response $(base64 file.ocsp) > => > OCSP single response: Certificate ID does not match any certificate or > issuer. > > Case #2 > - start haproxy with ocsp file > - set ssl ocsp-response [ with same OCSP response file ] > => "OCSP Response updated!" > > Is this an expected behaviour ?
I'm not surprized since the initial purpose was to update the pre-loaded record. However I don't know if technically speaking there are any such requirements or if we could get rid of this dependency. Maybe you should try to take a look at it. The "ocsp" word appears very rarely in the code, I think should can track all of the sequence without too much difficulties. Willy