err with multiple TLS sites but one OCSP?

2017-01-28 Thread Bob Beck
Sooo.. Pretty sure mlucas has uncovered a problem with the ocsp interface. Basically I didn't attach it to the keypair, (yes Joel, I think you told me so) so it only works with the master keypair.. OK, but the problem is that it also returns the staple for other keypairs which is wrong.

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Michael W. Lucas
On Fri, Jan 27, 2017 at 09:53:25PM +, Bob Beck wrote: >On Fri, Jan 27, 2017 at 14:12 Michael W. Lucas > Or a misconfiguration. ? show configs Configs follow. # cat /etc/httpd.conf include "/etc/sites/www3.conf" include "/etc/sites/www4.conf" www3.conf: server "www3.mwlucas.org" {

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Bob Beck
On Fri, Jan 27, 2017 at 15:23 Stuart Henderson wrote: > On 2017/01/27 22:09, Bob Beck wrote: > > > I think you have more issues than ocsp. if thats the same host you can't > > > have two different tls certs on the same ip. and you have them both on > > > *443 > > > > > >

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Stuart Henderson
On 2017/01/27 22:09, Bob Beck wrote: > I think you have more issues than ocsp. if thats the same host you can't > have two different tls certs on the same ip. and you have them both on > *443 > > try using a separate ip for each Wasn't SNI support added to httpd already?

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Bob Beck
I think you have more issues than ocsp. if thats the same host you can't have two different tls certs on the same ip. and you have them both on *443 try using a separate ip for each On Fri, Jan 27, 2017 at 15:03 Michael W. Lucas wrote: > On Fri, Jan 27, 2017 at

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Bob Beck
On Fri, Jan 27, 2017 at 14:12 Michael W. Lucas wrote: > On Fri, Jan 27, 2017 at 02:50:29PM -0500, Michael W. Lucas wrote: > > > On Fri, Jan 27, 2017 at 06:49:06PM +, Stuart Henderson wrote: > > > > That looks like a web server bug, it shouldn't return a staple >

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Michael W. Lucas
On Fri, Jan 27, 2017 at 02:50:29PM -0500, Michael W. Lucas wrote: > On Fri, Jan 27, 2017 at 06:49:06PM +, Stuart Henderson wrote: > > That looks like a web server bug, it shouldn't return a staple > > in that case. What software are you using for that? > > > > OpenBSD httpd, of course.

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Michael W. Lucas
On Fri, Jan 27, 2017 at 06:49:06PM +, Stuart Henderson wrote: > That looks like a web server bug, it shouldn't return a staple > in that case. What software are you using for that? OpenBSD httpd, of course. amd64 snapshot downloaded yesterday from ftp3.usa.openbsd.org. ==ml -- Michael

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Stuart Henderson
On 2017/01/27 13:10, Michael W. Lucas wrote: > Hi, > > Not sure if this is an expected part of OCSP or a bug. > > I've configured two TLS sites on one host, one with OCSP stapling > (www3.mwlucas.org) and one without (www4.mwlucas.org). The OCSP site > works fine, but the non-OCSP site generates

err with multiple TLS sites but one OCSP?

2017-01-27 Thread Michael W. Lucas
Hi, Not sure if this is an expected part of OCSP or a bug. I've configured two TLS sites on one host, one with OCSP stapling (www3.mwlucas.org) and one without (www4.mwlucas.org). The OCSP site works fine, but the non-OCSP site generates an err. It *appears* that queries to the non-OCSP site