Hello, > I seem to have also narrowed this down to being some compatibility > issue when using the OpenSSL package distributed for Ubuntu 14.04 > Trusty (officially set to EOL in April 2019). That thing is left > behind on 1.0.1f with security updates being ported from upstream, > but seemingly nothing more.
Building OpenSSL 1.0.1f from source results in the CMS consistency test failing due to an expired certificate in the test suite; building HAProxy against it resulted in no OCSP responses. Building OpenSSL 1.0.1u from source went well; building HAProxy against it resulted in proper OCSP responses being sent as one would expect. Could not find what changed by a quick look at the changelog, but I will just conclude there has been some change in the 1.0.1 tree that the Ubuntu maintainers have not picked up in regards to context management and OCSP Status responses. This is not really a concern for us then as we have plans to finally upgrade once Ubuntu 18.04.1 Bionic drops in July with OpenSSL 1.1.0 and there is no external pressure to Must-Staple our certificates or anything along those lines. Cheers, Valter J.
