You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Scott Beardsley (JIRA)" <ji...@apache.org> on 2016/02/05 23:46:39 UTC
[jira] [Created] (TS-4179) OCSP stapling broken with RSA+ECDSA cert
serving
Scott Beardsley created TS-4179:
-----------------------------------
Summary: OCSP stapling broken with RSA+ECDSA cert serving
Key: TS-4179
URL: https://issues.apache.org/jira/browse/TS-4179
Project: Traffic Server
Issue Type: Bug
Components: SSL
Reporter: Scott Beardsley
When I try to serve both an RSA and an ECDSA cert using a config like so:
$ grep ocsp records.config
CONFIG proxy.config.ssl.ocsp.enabled INT 1
$ grep -v ^# ssl_multicert.config
dest_ip=* ssl_cert_name=ecdsa.crt,rsa.crt ssl_key_name=ecdsa.key,rsa.key
I get the following error displayed in diags.log:
WARNING: fail to configure SSL_CTX for OCSP Stapling info for certificate at ecdsa.crt
Also when I connect via either of the following I get no stapled cert:
$ openssl s_client -connect localhost:443 -cipher 'ECDHE-ECDSA-AES128-SHA' -status
CONNECTED(00000003)
OCSP response: no response sent
...
$ openssl s_client -connect localhost:443 -cipher 'ECDHE-RSA-AES128-SHA' -status
CONNECTED(00000003)
OCSP response: no response sent
...
$
Here are the debug log messages:
diags.log:[Feb 5 22:44:03.230] Server {0x2afd2845bd80} WARNING: fail to configure SSL_CTX for OCSP Stapling info for certificate at ecdsa.crt
traffic.out:[Feb 5 22:44:03.230] Server {0x2afd2845bd80} DEBUG: (ssl) ssl ocsp stapling is enabled
traffic.out:[Feb 5 22:44:41.250] Server {0x2afd2ab89700} DEBUG: (ssl) ssl_callback_ocsp_stapling: fail to get certificate information
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)