Hi Olivier,

On Mon, Jan 23, 2017 at 08:31:13PM +0100, Olivier Doucet wrote:
> Hello,
> I'm actually implementing OCSP stapling on my haproxy instance.
> It seems we can update ocsp (with set ssl ocsp-response on socket) only if
> a previous OCSP record exist.
> For example :
> Case #1
> - start haproxy without any ocsp file
> - set ssl ocsp-response $(base64 file.ocsp)
> =>
> OCSP single response: Certificate ID does not match any certificate or
> issuer.
> Case #2
> - start haproxy with ocsp file
> - set ssl ocsp-response [ with same OCSP response file ]
> => "OCSP Response updated!"
> Is this an expected behaviour ?

I'm not surprized since the initial purpose was to update the pre-loaded
record. However I don't know if technically speaking there are any such
requirements or if we could get rid of this dependency. Maybe you should
try to take a look at it. The "ocsp" word appears very rarely in the
code, I think should can track all of the sequence without too much


Reply via email to