Obligatory "I am not a C programmer" and "my first upstream patch" messages.
We had an issue where one of our server certificate issuers was sending us
responses with 20 different single responses included. The serial numbers
in the Certificate IDs were exactly sequential, so I'm guessing they're
pre-generating the responses in chunks. HAProxy didn't like it:
"OCSP response ignored because contains multiple single responses (20).
Content will be ignored."
I did see the comment in src/ssl_sock.c. "Note: OCSP response containing
more than one OCSP Single response is not considered valid." But I'm not
sure how true that really is nowadays. From my searches this morning, it
seems the standards themselves have been found to be lacking, which has
resulted in browser support chaos (surprising no one). I'm coming from
Apache httpd, which happily serves the full responses.
If accepted or adapted, the documentation should be updated as well.
Rob Thralls
We had an issue where one of our server certificate issuers was sending us
responses with 20 different single responses included. The serial numbers
in the Certificate IDs were exactly sequential, so I'm guessing they're
pre-generating the responses in chunks. HAProxy didn't like it:
"OCSP response ignored because contains multiple single responses (20).
Content will be ignored."
I did see the comment in src/ssl_sock.c. "Note: OCSP response containing
more than one OCSP Single response is not considered valid." But I'm not
sure how true that really is nowadays. From my searches this morning, it
seems the standards themselves have been found to be lacking, which has
resulted in browser support chaos (surprising no one). I'm coming from
Apache httpd, which happily serves the full responses.
If accepted or adapted, the documentation should be updated as well.
Rob Thralls
