You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Susan Hinrichs (JIRA)" <ji...@apache.org> on 2016/04/18 21:14:25 UTC

[jira] [Comment Edited] (TS-4179) OCSP stapling broken with RSA+ECDSA cert serving

    [ https://issues.apache.org/jira/browse/TS-4179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15246350#comment-15246350 ] 

Susan Hinrichs edited comment on TS-4179 at 4/18/16 7:13 PM:
-------------------------------------------------------------

Within ssl_store_ssl_context, we call

const char *certname = sslMultCertSettings.cert.get();

which returns the comma delimited names for the certs.  But these values are used directly as the certificate name for the ocsp stapling enabling and else where.

Oh, nevermind.  That isn't it.  It just names the error messages confusing.


was (Author: shinrich):
Within ssl_store_ssl_context, we call

const char *certname = sslMultCertSettings.cert.get();

which returns the comma delimited names for the certs.  But these values are used directly as the certificate name for the ocsp stapling enabling and else where.

> OCSP stapling broken with RSA+ECDSA cert serving
> ------------------------------------------------
>
>                 Key: TS-4179
>                 URL: https://issues.apache.org/jira/browse/TS-4179
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: SSL
>            Reporter: Scott Beardsley
>            Assignee: Susan Hinrichs
>            Priority: Minor
>              Labels: yahoo
>             Fix For: 6.2.0
>
>
> When I try to serve both an RSA and an ECDSA cert using a config like so:
> $ grep ocsp records.config
> CONFIG proxy.config.ssl.ocsp.enabled INT 1
> $ grep -v ^# ssl_multicert.config
> dest_ip=* ssl_cert_name=ecdsa.crt,rsa.crt ssl_key_name=ecdsa.key,rsa.key
> I get the following error displayed in diags.log:
> WARNING: fail to configure SSL_CTX for OCSP Stapling info for certificate at ecdsa.crt
> Also when I connect via either of the following I get no stapled cert:
> $ openssl s_client -connect localhost:443 -cipher 'ECDHE-ECDSA-AES128-SHA' -status
> CONNECTED(00000003)
> OCSP response: no response sent
> ...
> $ openssl s_client -connect localhost:443 -cipher 'ECDHE-RSA-AES128-SHA' -status
> CONNECTED(00000003)
> OCSP response: no response sent
> ...
> $
> Here are the debug log messages:
> diags.log:[Feb  5 22:44:03.230] Server {0x2afd2845bd80} WARNING: fail to configure SSL_CTX for OCSP Stapling info for certificate at ecdsa.crt
> traffic.out:[Feb  5 22:44:03.230] Server {0x2afd2845bd80} DEBUG: (ssl) ssl ocsp stapling is enabled
> traffic.out:[Feb  5 22:44:41.250] Server {0x2afd2ab89700} DEBUG: (ssl) ssl_callback_ocsp_stapling: fail to get certificate information



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)