@list: sorry for the incorrect subject in my previous answer. At some
point the subject changed when email was saved and encrypted in Drafts.

On 28/11/2018 18:59, Moemen MHEDHBI wrote:
> Hi Igor,
>
> On 11/27/18 12:48 AM, Igor Cicimov wrote:
>> Hi Moemen,
>>
>> On Tue, Nov 27, 2018 at 1:24 AM Moemen MHEDHBI <[email protected]> wrote:
>>> On 11/14/18 1:34 AM, Igor Cicimov wrote:
>>>
>>> On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov 
>>> <[email protected]> wrote:
>>>> Hi,
>>>>
>>>> # haproxy -v
>>>> HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23
>>>> Copyright 2000-2018 Willy Tarreau <[email protected]>
>>>>
>>>> I noticed that in case of multiple domains and OCSP setup:
>>>>
>>>> # ls -1 /etc/haproxy/ssl.d/*.ocsp
>>>> /etc/haproxy/ssl.d/star_domain2_com.crt.ocsp
>>>> /etc/haproxy/ssl.d/star_domain_com.crt.ocsp
>>>> /etc/haproxy/ssl.d/star_domain3_com.crt.ocsp
>>>> /etc/haproxy/ssl.d/star_domain4_com.crt.ocsp
>>>>
>>>> I get OCSP response from haproxy only for one of the domains
>>>> domain.com. Tested via:
>>>>
>>>> $ echo | openssl s_client -connect domain[234].com:443 -tlsextdebug
>>>> -status -servername domain[234].com
>>>>
>>>> Is this expected?
>>> Any comments/ideas regarding this? Further noticed that OCSP code probably 
>>> does not check the certificates SANs and matches only based on the CN in 
>>> the subject since the calls to whatever.domain.tld get stapled but to 
>>> domain.tld do not.
>>>
>>> Hi Igor,
>>>
>>> Testing OCSP on multiple certificates with different domains (based on the 
>>> CN) works correctly for me. (a.domain.com, b.domain.com, c.domain.com)
>>>
>>> Are you using multiple certs with same CN but different SANs ?
>> The certificates belong to completely separate domains, so not
>> subdomains of the same domain like in your case. They are also
>> wildcard certs so here is the layout:
>>
>> # ls -1 /etc/haproxy/ssl.d/
>> star_domain1_com.crt
>> star_domain1_com.crt.ocsp
>> star_domain2_com.crt
>> star_domain2_com.crt.ocsp
>> star_domain3_com.crt
>> star_domain3_com.crt.ocsp
>>
>> # for i in `ls -1 /etc/haproxy/ssl.d/*.crt`; do openssl x509 -noout
>> -subject -in $i; done
>> subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com
>> subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain2.com
>> subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain3.com
>>
>> The SAN only contains the certificates domain and nothing else, for
>> example for domain3.com:
>>
>>             X509v3 Subject Alternative Name:
>>                 DNS:*.domain3.com, DNS:domain3.com
>>
>> The haproxy bind line in the frontend looks like:
>>
>>      bind *:443 ssl crt /etc/haproxy/ssl.d/ ...
>>
>> And here is the output of the daily cronjob that updates the OCSP for 
>> haproxy:
>>
>> Date: Mon, 26 Nov 2018 05:00:01 +0000 (GMT)
>>
>> /etc/haproxy/ssl.d/star_domain1_com.crt: good
>>         This Update: Nov 25 17:39:11 2018 GMT
>>         Next Update: Dec  2 16:54:11 2018 GMT
>> OCSP Response updated!
>> /etc/haproxy/ssl.d/star_domain2_com.crt: good
>>         This Update: Nov 24 20:49:57 2018 GMT
>>         Next Update: Dec  1 20:04:57 2018 GMT
>> OCSP Response updated!
>> /etc/haproxy/ssl.d/star_domain3_com.crt: good
>>         This Update: Nov 25 14:09:00 2018 GMT
>>         Next Update: Dec  2 13:24:00 2018 GMT
>> OCSP Response updated!
>>
>> I can confirm this is working as intended on other serves I have with
>> 1.7.11 and 1.8.14, so it must be something specific to this one that I
>> struggle to understand (to be even more confusing it is all being
>> setup by Ansible in same way as everywhere else).
>>
>> Under what circumstances would a setup like this not work in terms of
>> OCSP? Example:
>>
>> $ echo | openssl s_client -connect server:443 -tlsextdebug -status
>> -servername domain1.com | grep -E 'OCSP|domain1'
>> depth=0 C = AU, ST = New South Wales, L = Sydney, O = My Company, CN =
>> *.domain1.com
>> verify return:1
>> DONE
>> OCSP response: no response sent
>>  0 s:/C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com
>> subject=/C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com
>>
>> Thanks for your input by the way, very much appreciated.
>
> If I am understanding this correctly when you use the naked domain
> 'domain1.com', you don't get an OCSP response (despite mentioning the
> domain in the SAN extension).
>
> Is this the case for all the domains or only one of them ? I am asking
> this since you're mentioning multiple domains.
>
> I was testing the same config with HA-Proxy version 1.8.14 2018/09/20
> without being able to reproduce this.
>
> $ echo quit | openssl s_client -connect localhost:443 -servername
> 'example.org' -status | egrep 'OCSP|example'
> OCSP response:
> OCSP Response Data:
>     OCSP Response Status: successful (0x0)
>     Response Type: Basic OCSP Response
>         OCSP Nonce:
> subject=/C=FR/ST=PARIS/O=MMH/OU=server/CN=*.example.org
>
> I only get " no response sent" when the "naked" domain is not mentioned
> in the SAN which is expected. 
>
>
>> I can confirm this is working as intended on other serves I have with
>> 1.7.11 and 1.8.14, so it must be something specific to this one that I
>> struggle to understand (to be even more confusing it is all being
>> setup by Ansible in same way as everywhere else).
> Ok so no surprise that I cannot reproduce this since I am using 1.8.14
> (latest release of the 1.8 branch) and your confirm that you don't have
> issues with this version, but rather with the 1.8.14-1ppa1~xenial
> version (from Vincent Bernat PPA I suppose). What is strange is that I
> am expecting 1.8.14-1ppa1~xenial to be the same as HA-Proxy version
> 1.8.14 2018/09/20. I will double check though and get back to you.
>
> Regards,
>
-- 
Moemen MHEDHBI


Reply via email to