OCSP stapling with HAProxy

StephenG · October 19, 2016, 3:33pm

Has anyone got OCSP stapling with Let's Encrypt certificates working correctly in HAProxy?
(CentOS 7, HAProxy 1.7 dev4, OpenSSL 1:1.0.1e-51.el7_2.7)

I'm trying it now, and everything seems to work ok until testing, where I'm getting:

OCSP response: no response sent
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mydomain.com
verify return:1

when trying to test it using

openssl s_client -connect mydomain.com:443 -tlsextdebug -status -servername mydomain.com

I have the .ocsp response and .issuer (Let's Encrypt chain.pem) files present in my HAProxy certs directory, and have tried reloading HAProxy after copying those files.

I intially get the OCSP response using:

openssl ocsp -no_nonce -respout /etc/haproxy/certs/mydomain.com.pem.ocsp -issuer /etc/letsencrypt/live/mydomain.com/chain.pem -verify_other /etc/letsencrypt/live/mydomain.com/chain.pem -cert /etc/letsencrypt/live/mydomain.com/cert.pem -url http://ocsp.int-x3.letsencrypt.org/ -header "HOST" "ocsp.int-x3.letsencrypt.org"

Thanks..

(I've also asked this in the HAProxy forums but perhaps someone here could have this setup already)

TCM · October 19, 2016, 5:24pm

I can only provide a data point that it works OK on OpenBSD 6.0 with:

# haproxy -vv
HA-Proxy version 1.6.6 2016/06/26
Copyright 2000-2016 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = openbsd
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -pipe -fno-strict-aliasing
  OPTIONS = USE_LIBCRYPT=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built without compression support (neither USE_ZLIB nor USE_SLZ are set)
Compression algorithms supported : identity("identity")
Built with OpenSSL version : LibreSSL 2.4.2
Running on OpenSSL version : LibreSSL 2.4.2
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.38 2015-11-23
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built without Lua support
Built with transparent proxy support using: SO_BINDANY

Available polling systems :
     kqueue : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use kqueue.

Do you have

OpenSSL library supports TLS extensions : yes

? Is your .ocsp file OK?

# openssl asn1parse -in [...].ocsp -inform der
    0:d=0  hl=4 l= 523 cons: SEQUENCE
    4:d=1  hl=2 l=   1 prim: ENUMERATED        :00
    7:d=1  hl=4 l= 516 cons: cont [ 0 ]
   11:d=2  hl=4 l= 512 cons: SEQUENCE
   15:d=3  hl=2 l=   9 prim: OBJECT            :Basic OCSP Response
   26:d=3  hl=4 l= 497 prim: OCTET STRING      [HEX DUMP]:...

StephenG · October 19, 2016, 5:47pm

Thanks for that. Yes I have the TLS extensions support and .ocsp file appears to be ok.

I see that you’re using LibreSSL - I’m beginning to think that the culprit here is the stock OpenSSL 1.0.1 branch in CentOS 7. I’ll try compiling HAProxy against 1.0.2 and try the OCSP check again.

StephenG · October 20, 2016, 12:12am

Ah it works now!

It just needed HAProxy compiled with OpenSSL 1.0.2 (instructions are in the HAProxy README)

system · November 19, 2016, 12:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.