wolfSSL
OCSP stapling with HAProxy as a server
This patch allows to load and validate OCSP response file in DER format, when haproxy starts. This file should be kept at the same path as the using server certificate and *.issuer file (set as ssl crt keyword value at haproxy's bind line):
bind *:1443 ssl crt show_ocsp_server.pem
~/haproxy master$ ls -al show_ocsp_server.pem*
-rw-r--r-- 1 root root 6918 mai 16 19:25 show_ocsp_server.pem
-rw-r--r-- 1 root root 1830 mai 16 19:25 show_ocsp_server.pem.issuer
-rw-r--r-- 1 root root 2281 mai 16 19:25 show_ocsp_server.pem.ocsp
Description
Please describe the scope of the fix or feature addition.
Fixes zd#
Testing
How did you test?
Checklist
- [ ] added tests
- [ ] updated/added doxygen
- [ ] updated appropriate READMEs
- [ ] Updated manual and documentation
Hi @vkssv ,
Can you tell me more about your project? I don't see you on our contributor list. Please send an email to support@ wolfssl.com and reference this PR to start the process for getting setup as a contributor.
Okay to test
Thanks, David Garske, wolfSSL
@vkssv
The HAProxy test fails the ./tests/unit.test
FAILURES:
648: test_wolfSSL_i2d_OCSP_CERTID
Hello @dgarske !
I've provided this patch in order to illustrate and reproduce our problem with OCSP stapling, described at #7588.
So we are not intended to merge this. Just to help you to debug or provide us some hints, how we could use OCSP OpenSSL compatible d2i_OCSP_CERTID and i2d_OCSP_CERTID APIs.
Thanks in advance,
@rizlik is working on fixing this internally. I will go ahead and close this.