You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Susan Hinrichs (JIRA)" <ji...@apache.org> on 2016/11/29 00:57:59 UTC

[jira] [Updated] (TS-4179) OCSP stapling broken with RSA+ECDSA cert serving

     [ https://issues.apache.org/jira/browse/TS-4179?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Susan Hinrichs updated TS-4179:
-------------------------------
    Assignee: Syeda Persia Aziz  (was: Susan Hinrichs)

> OCSP stapling broken with RSA+ECDSA cert serving
> ------------------------------------------------
>
>                 Key: TS-4179
>                 URL: https://issues.apache.org/jira/browse/TS-4179
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: SSL
>            Reporter: Scott Beardsley
>            Assignee: Syeda Persia Aziz
>            Priority: Minor
>              Labels: yahoo
>             Fix For: 7.1.0
>
>
> When I try to serve both an RSA and an ECDSA cert using a config like so:
> $ grep ocsp records.config
> CONFIG proxy.config.ssl.ocsp.enabled INT 1
> $ grep -v ^# ssl_multicert.config
> dest_ip=* ssl_cert_name=ecdsa.crt,rsa.crt ssl_key_name=ecdsa.key,rsa.key
> I get the following error displayed in diags.log:
> WARNING: fail to configure SSL_CTX for OCSP Stapling info for certificate at ecdsa.crt
> Also when I connect via either of the following I get no stapled cert:
> $ openssl s_client -connect localhost:443 -cipher 'ECDHE-ECDSA-AES128-SHA' -status
> CONNECTED(00000003)
> OCSP response: no response sent
> ...
> $ openssl s_client -connect localhost:443 -cipher 'ECDHE-RSA-AES128-SHA' -status
> CONNECTED(00000003)
> OCSP response: no response sent
> ...
> $
> Here are the debug log messages:
> diags.log:[Feb  5 22:44:03.230] Server {0x2afd2845bd80} WARNING: fail to configure SSL_CTX for OCSP Stapling info for certificate at ecdsa.crt
> traffic.out:[Feb  5 22:44:03.230] Server {0x2afd2845bd80} DEBUG: (ssl) ssl ocsp stapling is enabled
> traffic.out:[Feb  5 22:44:41.250] Server {0x2afd2ab89700} DEBUG: (ssl) ssl_callback_ocsp_stapling: fail to get certificate information



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)