HAProxy 1.5 and OCSP
-
Thanks Michael for blazing the path for me. I also have an SSL cert from StartSSL and just appended it to my domain cert. When I decided to try OCSP today I got the same error. I'll work through what you did tonight hopefully
And thanks as always PiBa for your continued work on this awesome plugin!
-
Dear PiBa, dear all,
While I did get OCSP to work some months ago, this is no longer so, unfortunately. I am uncertain, if issues in the haproxy-1_5 stable package towards 0.30 are causing this or if it is issues at the certificate provider.
In the qualys ssl test, I see two certificate paths, one leading to the SHA1 CA cert and the other leading the the SHA256 CA cert. While OSCP fails at different levels of the certificate chain, problems are always identical for both paths.
Yesterday, qualys ssl test did yield (for the SHA1 path as a example):
1 Sent by server analyticum.com
Fingerprint: ad2b82ac78767c062980f20fc403facdff0a8ddf
RSA 4096 bits (e 65537) / SHA256withRSA
OCSP ERROR: Request failed with HTTP status: 500 [http://ocsp.startssl.com/sub/class2/server/ca]2 Sent by server StartCom Class 2 Primary Intermediate Server CA
Fingerprint: 064969b7f4d6a74fd098be59d379fae429a906fb
RSA 2048 bits (e 65537) / SHA256withRSA3 In trust store StartCom Certification Authority Self-signed
Fingerprint: 3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f
RSA 4096 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificateToday (with no changes on my side), OCSP fails for the intermediary certificate instead of the server certificate:
1 Sent by server analyticum.com
Fingerprint: ad2b82ac78767c062980f20fc403facdff0a8ddf
RSA 4096 bits (e 65537) / SHA256withRSA2 Sent by server StartCom Class 2 Primary Intermediate Server CA
Fingerprint: 064969b7f4d6a74fd098be59d379fae429a906fb
RSA 2048 bits (e 65537) / SHA256withRSA
OCSP ERROR: Request failed with HTTP status: 500 [http://ocsp.startssl.com/ca]3 In trust store StartCom Certification Authority Self-signed
Fingerprint: 3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f
RSA 4096 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificateCan someone please point me at how to avoid this?
Regarding the future issue of making ALPN available, I did read that openssl 1.0.2 would be required (https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation - I could not find the release notes quoted under (6) in the wikipedia article or anything like this in the openssl release notes which I did find, though.) while pfSense does provide OpenSSL 1.0.1l-freebsd 15 Jan 2015 now. Does anyone know whom to notify to change that well before the end of 2015?
Regards,
Michael
-
Hi Michael
Looks to me like the issue is on the startssl side?: https://forum.startcom.org/viewtopic.php?f=15&p=22411&sid=fe8d39fe277387117a769acfe59cf534
With haproxy 0.30 my ocsp still works properly for me with certificate from another CA..
As for openssl 1.0.2, its a bit tricky.. haproxy is build agains openssl from ports.. If you currently check haproxy -vv output youl see that newest dev4 package is using showing the folowing..:
Built with OpenSSL version : OpenSSL 1.0.2d 9 Jul 2015 Running on OpenSSL version : OpenSSL 1.0.1m 19 Mar 2015 (VERSIONS DIFFER!)Ive not noticed problems caused by this yet.. Also i have discussed with pfSense devs, and its deemed difficult to fix until the new pkgng package system will be used..
Best regards
PiBa-NL -
Dear PiBa,
Thank you very much. The OCSP issue was indeed caused by a problem in StartCom's infrastructure, as StartCom's friendly certmaster did confirm. It is gone at present and I hope that it will remain OK in the future.
Thanks for following up with the OpenSSL issue. It would be good to move from npn to alpn before major providers and their browsers (Chrome) will make the switch, probably by the end of 2015, if they stick to their announcements. Nevertheless all of us should practically take it as it is.
Regards,
Michael