Hello Valter, On Fri, Mar 30, 2018 at 09:43:03PM +0300, Valter Jansons wrote: > Hello, > > > I seem to have also narrowed this down to being some compatibility > > issue when using the OpenSSL package distributed for Ubuntu 14.04 > > Trusty (officially set to EOL in April 2019). That thing is left > > behind on 1.0.1f with security updates being ported from upstream, > > but seemingly nothing more. > > Building OpenSSL 1.0.1f from source results in the CMS consistency > test failing due to an expired certificate in the test suite; building > HAProxy against it resulted in no OCSP responses. Building OpenSSL > 1.0.1u from source went well; building HAProxy against it resulted in > proper OCSP responses being sent as one would expect. > > Could not find what changed by a quick look at the changelog, but I > will just conclude there has been some change in the 1.0.1 tree that > the Ubuntu maintainers have not picked up in regards to context > management and OCSP Status responses. This is not really a concern for > us then as we have plans to finally upgrade once Ubuntu 18.04.1 Bionic > drops in July with OpenSSL 1.1.0 and there is no external pressure to > Must-Staple our certificates or anything along those lines.
Thanks a lot for sharing your findings, it's very likely that it will help other people experiencing the same issue later and who will find this explanation in the archives. Cheers, Willy
