On 11/14/18 1:34 AM, Igor Cicimov wrote: > On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov > <ig...@encompasscorporation.com > <mailto:ig...@encompasscorporation.com>> wrote: > > Hi, > > # haproxy -v > HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23 > Copyright 2000-2018 Willy Tarreau <wi...@haproxy.org > <mailto:wi...@haproxy.org>> > > I noticed that in case of multiple domains and OCSP setup: > > # ls -1 /etc/haproxy/ssl.d/*.ocsp > /etc/haproxy/ssl.d/star_domain2_com.crt.ocsp > /etc/haproxy/ssl.d/star_domain_com.crt.ocsp > /etc/haproxy/ssl.d/star_domain3_com.crt.ocsp > /etc/haproxy/ssl.d/star_domain4_com.crt.ocsp > > I get OCSP response from haproxy only for one of the domains > domain.com <http://domain.com>. Tested via: > > $ echo | openssl s_client -connect domain[234].com:443 -tlsextdebug > -status -servername domain[234].com > > Is this expected? > > > Any comments/ideas regarding this? Further noticed that OCSP code > probably does not check the certificates SANs and matches only based > on the CN in the subject since the calls to whatever.domain.tld get > stapled but to domain.tld do not. > Hi Igor,
Testing OCSP on multiple certificates with different domains (based on the CN) works correctly for me. (a.domain.com, b.domain.com, c.domain.com) Are you using multiple certs with same CN but different SANs ? -- Moemen MHEDHBI
