Op 9-2-2017 om 7:58 schreef Willy Tarreau:
Hi Olivier,

On Mon, Jan 23, 2017 at 08:31:13PM +0100, Olivier Doucet wrote:

I'm actually implementing OCSP stapling on my haproxy instance.

It seems we can update ocsp (with set ssl ocsp-response on socket) only if
a previous OCSP record exist.

For example :
Case #1
- start haproxy without any ocsp file
- set ssl ocsp-response $(base64 file.ocsp)
OCSP single response: Certificate ID does not match any certificate or

Case #2
- start haproxy with ocsp file
- set ssl ocsp-response [ with same OCSP response file ]
=> "OCSP Response updated!"

Is this an expected behaviour ?
I'm not surprized since the initial purpose was to update the pre-loaded
record. However I don't know if technically speaking there are any such
requirements or if we could get rid of this dependency. Maybe you should
try to take a look at it. The "ocsp" word appears very rarely in the
code, I think should can track all of the sequence without too much


There is of course the option of starting with a 'empty' .ocsp file, and then later setting the actual ocsp content over the admin socket. Assuming you do know in advance that you will want to use ocsp..


Reply via email to