Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-4179

OCSP stapling broken with RSA+ECDSA cert serving

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 7.1.0
    • Component/s: SSL
    • Labels:

      Description

      When I try to serve both an RSA and an ECDSA cert using a config like so:

      $ grep ocsp records.config
      CONFIG proxy.config.ssl.ocsp.enabled INT 1
      $ grep -v ^# ssl_multicert.config
      dest_ip=* ssl_cert_name=ecdsa.crt,rsa.crt ssl_key_name=ecdsa.key,rsa.key

      I get the following error displayed in diags.log:

      WARNING: fail to configure SSL_CTX for OCSP Stapling info for certificate at ecdsa.crt

      Also when I connect via either of the following I get no stapled cert:

      $ openssl s_client -connect localhost:443 -cipher 'ECDHE-ECDSA-AES128-SHA' -status
      CONNECTED(00000003)
      OCSP response: no response sent
      ...
      $ openssl s_client -connect localhost:443 -cipher 'ECDHE-RSA-AES128-SHA' -status
      CONNECTED(00000003)
      OCSP response: no response sent
      ...
      $

      Here are the debug log messages:

      diags.log:[Feb 5 22:44:03.230] Server

      {0x2afd2845bd80} WARNING: fail to configure SSL_CTX for OCSP Stapling info for certificate at ecdsa.crt

      traffic.out:[Feb 5 22:44:03.230] Server {0x2afd2845bd80}

      DEBUG: (ssl) ssl ocsp stapling is enabled
      traffic.out:[Feb 5 22:44:41.250] Server

      {0x2afd2ab89700}

      DEBUG: (ssl) ssl_callback_ocsp_stapling: fail to get certificate information

        Attachments

          Activity

            People

            • Assignee:
              persiaAziz Syeda Persia Aziz
              Reporter:
              sc0ttbeardsley Scott Beardsley
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: