Re: set ssl ocsp-response working only if we already have an ocsp record

2017-02-08 Thread Willy Tarreau
Hi Olivier,

On Mon, Jan 23, 2017 at 08:31:13PM +0100, Olivier Doucet wrote:
> Hello,
> 
> I'm actually implementing OCSP stapling on my haproxy instance.
> 
> It seems we can update ocsp (with set ssl ocsp-response on socket) only if
> a previous OCSP record exist.
> 
> For example :
> Case #1
> - start haproxy without any ocsp file
> - set ssl ocsp-response $(base64 file.ocsp)
> =>
> OCSP single response: Certificate ID does not match any certificate or
> issuer.
> 
> Case #2
> - start haproxy with ocsp file
> - set ssl ocsp-response [ with same OCSP response file ]
> => "OCSP Response updated!"
> 
> Is this an expected behaviour ?

I'm not surprized since the initial purpose was to update the pre-loaded
record. However I don't know if technically speaking there are any such
requirements or if we could get rid of this dependency. Maybe you should
try to take a look at it. The "ocsp" word appears very rarely in the
code, I think should can track all of the sequence without too much
difficulties.

Willy



set ssl ocsp-response working only if we already have an ocsp record

2017-01-23 Thread Olivier Doucet
Hello,

I'm actually implementing OCSP stapling on my haproxy instance.

It seems we can update ocsp (with set ssl ocsp-response on socket) only if
a previous OCSP record exist.

For example :
Case #1
- start haproxy without any ocsp file
- set ssl ocsp-response $(base64 file.ocsp)
=>
OCSP single response: Certificate ID does not match any certificate or
issuer.

Case #2
- start haproxy with ocsp file
- set ssl ocsp-response [ with same OCSP response file ]
=> "OCSP Response updated!"

Is this an expected behaviour ?

Olivier