— 2 min read

Contents

With haproxy 1.5 finally being released we are lucky enough to get a basic interface around OCSP stapling.

Sadly this interface really is quite basic and it’s not the simplest thing to figure out without some trial and error.

According to the official documentation, you should be able to pipe your OCSP response to haproxy via it’s stats socket. Sadly I could not get this to work properly at all, so I decided to swap the piping for a file and reload solution.

You’ll need to get a copy of your certification authorities root certificate to proceed with this.

Looking for your OCSP URI

If you don’t know the URI you need to do an OCSP lookup against, you can find it in your certificate data.

openssl x509 -in /path/to/your/certificate -text

Inside the output, look for the following section.

Authority Information Access:
    CA Issuers - URI:https://secure.globalsign.com/cacert/gsdomainvalsha2g2r1.crt
    OCSP - URI:https://ocsp2.globalsign.com/gsdomainvalsha2g2

Testing OCSP response

openssl ocsp -noverify -issuer /path/to/your/ca/root/certificate \
             -cert /path/to/your/certificate -url "OCSP_URI"

You should see a response like the one below.

/path/to/your/certificate: good
This Update: Jul  2 23:01:54 2014 GMT

If you get any errors from this, you may need to try these additional arguments;

Disable nonces

-no_nonce

This will disable nonces, some servers are not able to handle nonces so you may need to disable them.

Send a “Host” header

If you get an HTTP status like a 403 or 404 then you may need to specify a host header.

-header Host OCSP_URI_DOMAIN

For my certificate the OCSP URI is https://ocsp2.globalsign.com/gsdomainvalsha2g2 so the Host header would be like below.

-header Host ocsp2.globalsign.com

Proving OCSP data to haproxy

If the above testing was all OK, we can now actually use the data.

openssl ocsp -noverify -issuer /path/to/your/ca/root/certificate \
             -cert /path/to/your/certificate \
             -url "OCSP_URI" -respout /path/to/your/certificate.ocsp

One thing to note is, if your certificate file is /etc/ssl/certs/kura.gg.crt then you must set -respout to /etc/ssl/certs/kura.gg.crt.ocsp

You can now simply reload haproxy and check your OCSP staping is working.

Testing OCSP from haproxy

openssl s_client -connect domain.tld:443 -tls1 -tlsextdebug -status

Near the top of the response you’ll see your OCSP information.

OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: DFDE6C7C4B6C4098FA6992156D2B082875FD6443
    Produced At: Jul  2 22:58:27 2014 GMT
    Responses:
    Certificate ID:
        Hash Algorithm: sha1
        Issuer Name Hash: D1F1B576F9EEC0C10F7AFC7C3124A9C3625D7C61
        Issuer Key Hash: EA4E7CD4802DE5158186268C826DC098A4CF970F
        Serial Number: 1121C92209F7127584AAFEB2B08ECDD30A9D
    Cert Status: good
    This Update: Jul  2 22:58:27 2014 GMT

Updating OCSP

The simplest way of doing this is by using cron.daily or something similar to update your certificate.ocsp file.

Related articles

Kura

Anarchist. Pessimist. Bipolar. Hacker. Hyperpolyglot. Musician. Ex-(semi-)pro gamer. They/Them.

Kura
View Source