haproxy/include/proto
Emeric Brun 4147b2ef10 MEDIUM: ssl: basic OCSP stapling support.
The support is all based on static responses. This doesn't add any
request / response logic to HAProxy, but allows a way to update
information through the socket interface.

Currently certificates specified using "crt" or "crt-list" on "bind" lines
are loaded as PEM files.
For each PEM file, haproxy checks for the presence of file at the same path
suffixed by ".ocsp". If such file is found, support for the TLS Certificate
Status Request extension (also known as "OCSP stapling") is automatically
enabled. The content of this file is optional. If not empty, it must contain
a valid OCSP Response in DER format. In order to be valid an OCSP Response
must comply with the following rules: it has to indicate a good status,
it has to be a single response for the certificate of the PEM file, and it
has to be valid at the moment of addition. If these rules are not respected
the OCSP Response is ignored and a warning is emitted. In order to  identify
which certificate an OCSP Response applies to, the issuer's certificate is
necessary. If the issuer's certificate is not found in the PEM file, it will
be loaded from a file at the same path as the PEM file suffixed by ".issuer"
if it exists otherwise it will fail with an error.

It is possible to update an OCSP Response from the unix socket using:

  set ssl ocsp-response <response>

This command is used to update an OCSP Response for a certificate (see "crt"
on "bind" lines). Same controls are performed as during the initial loading of
the response. The <response> must be passed as a base64 encoded string of the
DER encoded response from the OCSP server.

Example:
  openssl ocsp -issuer issuer.pem -cert server.pem \
               -host ocsp.issuer.com:80 -respout resp.der
  echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \
               socat stdio /var/run/haproxy.stat

This feature is automatically enabled on openssl 0.9.8h and above.

This work was performed jointly by Dirkjan Bussink of GitHub and
Emeric Brun of HAProxy Technologies.
2014-06-18 18:28:56 +02:00
..
acl.h MINOR: pattern: store configuration reference for each acl or map pattern. 2014-03-17 18:06:07 +01:00
arg.h
auth.h MEDIUM: pattern: The match function browse itself the list or the tree. 2014-03-17 18:06:07 +01:00
backend.h MAJOR: checks: add support for a new "drain" administrative mode 2014-05-23 14:29:11 +02:00
channel.h CLEANUP: buffers: remove unused function buffer_contig_space_with_res() 2014-04-24 17:19:22 +02:00
checks.h MEDIUM: checks: simplify server up/down/nolb transitions 2014-05-23 14:29:11 +02:00
compression.h
connection.h MEDIUM: connection: Implement and extented PROXY Protocol V2 2014-05-09 08:25:38 +02:00
cttproxy.h
dumpstats.h MEDIUM: stats: reimplement HTTP keep-alive on the stats page 2014-04-24 17:24:56 +02:00
fd.h BUG/MEDIUM: polling: fix possible CPU hogging of worker processes after receiving SIGUSR1. 2014-05-20 14:57:36 +02:00
freq_ctr.h MINOR: freq_ctr: introduce a new averaging method 2014-06-17 17:15:51 +02:00
frontend.h
hdr_idx.h
lb_chash.h
lb_fas.h
lb_fwlc.h
lb_fwrr.h
lb_map.h
listener.h
log.h MINOR: configuration: File and line propagation 2014-03-17 18:06:08 +01:00
map.h MINOR: map: export parse output sample functions 2013-12-12 15:44:05 +01:00
obj_type.h
pattern.h MEDIUM: pattern: use ebtree's longest match to index/lookup string beginning 2014-05-10 08:53:48 +02:00
payload.h
peers.h
pipe.h
port_range.h
proto_http.h MEDIUM: http: add actions "replace-header" and "replace-values" in http-req/resp 2014-06-17 18:34:32 +02:00
proto_tcp.h BUG/MEDIUM: stick-table: fix IPv4-to-IPv6 conversion in src_* fetches 2014-04-14 18:22:57 +02:00
proto_uxst.h
protocol.h
proxy.h MEDIUM: proxy: create a tree to store proxies by name 2014-03-15 07:48:35 +01:00
queue.h REORG: checks: put the functions in the appropriate files ! 2014-05-22 11:27:00 +02:00
raw_sock.h
sample.h MINOR: configuration: File and line propagation 2014-03-17 18:06:08 +01:00
server.h MAJOR: checks: add support for a new "drain" administrative mode 2014-05-23 14:29:11 +02:00
session.h MEDIUM: session: maintain per-backend and per-server time statistics 2014-06-17 17:15:56 +02:00
shctx.h BUG/MAJOR: ssl: Fallback to private session cache if current lock mode is not supported. 2014-05-08 22:46:32 +02:00
signal.h
ssl_sock.h MEDIUM: ssl: basic OCSP stapling support. 2014-06-18 18:28:56 +02:00
stick_table.h
stream_interface.h MEDIUM: stream-int: make si_connect() return an established state when possible 2013-12-31 23:32:12 +01:00
task.h
template.h