Hello Janusz,
2017-03-08 16:59 GMT+01:00 Janusz Dziemidowicz <[email protected]>: > Invalid OCSP file (for example empty one that can be used to enable > OCSP response to be set dynamically later) causes errors that are > placed on OpenSSL error stack. Those errors are not cleared so > anything that checks this stack later will fail. > > Following configuration: > bind :443 ssl crt crt1.pem crt crt2.pem > > With following files: > crt1.pem > crt1.pem.ocsp - empty one > crt2.pem.rsa > crt2.pem.ecdsa > > Will fail to load. > > -- > 2.11.0 > With your patch, I can see that you adressed an issue I had : I cannot send an ocsp refresh to a certificate that do not hold an ocsp signature. It seems you succeed in that by providing at least an empty file. That's a start. Can it be possible to modify current source code, to not provide any ocsp file on startup but still accept OCSP refresh through haproxy socket ? Olivier
