Op 9-2-2017 om 7:58 schreef Willy Tarreau:
Hi Olivier,
On Mon, Jan 23, 2017 at 08:31:13PM +0100, Olivier Doucet wrote:
Hello,
I'm actually implementing OCSP stapling on my haproxy instance.
It seems we can update ocsp (with set ssl ocsp-response on socket) only if
a previous OCSP record exist.
For example :
Case #1
- start haproxy without any ocsp file
- set ssl ocsp-response $(base64 file.ocsp)
=>
OCSP single response: Certificate ID does not match any certificate or
issuer.
Case #2
- start haproxy with ocsp file
- set ssl ocsp-response [ with same OCSP response file ]
=> "OCSP Response updated!"
Is this an expected behaviour ?
I'm not surprized since the initial purpose was to update the pre-loaded
record. However I don't know if technically speaking there are any such
requirements or if we could get rid of this dependency. Maybe you should
try to take a look at it. The "ocsp" word appears very rarely in the
code, I think should can track all of the sequence without too much
difficulties.
Willy
There is of course the option of starting with a 'empty' .ocsp file, and
then later setting the actual ocsp content over the admin socket.
Assuming you do know in advance that you will want to use ocsp..
Regards
PiBa-NL
