haproxy/doc
Emeric Brun 4147b2ef10 MEDIUM: ssl: basic OCSP stapling support.
The support is all based on static responses. This doesn't add any
request / response logic to HAProxy, but allows a way to update
information through the socket interface.

Currently certificates specified using "crt" or "crt-list" on "bind" lines
are loaded as PEM files.
For each PEM file, haproxy checks for the presence of file at the same path
suffixed by ".ocsp". If such file is found, support for the TLS Certificate
Status Request extension (also known as "OCSP stapling") is automatically
enabled. The content of this file is optional. If not empty, it must contain
a valid OCSP Response in DER format. In order to be valid an OCSP Response
must comply with the following rules: it has to indicate a good status,
it has to be a single response for the certificate of the PEM file, and it
has to be valid at the moment of addition. If these rules are not respected
the OCSP Response is ignored and a warning is emitted. In order to  identify
which certificate an OCSP Response applies to, the issuer's certificate is
necessary. If the issuer's certificate is not found in the PEM file, it will
be loaded from a file at the same path as the PEM file suffixed by ".issuer"
if it exists otherwise it will fail with an error.

It is possible to update an OCSP Response from the unix socket using:

  set ssl ocsp-response <response>

This command is used to update an OCSP Response for a certificate (see "crt"
on "bind" lines). Same controls are performed as during the initial loading of
the response. The <response> must be passed as a base64 encoded string of the
DER encoded response from the OCSP server.

Example:
  openssl ocsp -issuer issuer.pem -cert server.pem \
               -host ocsp.issuer.com:80 -respout resp.der
  echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \
               socat stdio /var/run/haproxy.stat

This feature is automatically enabled on openssl 0.9.8h and above.

This work was performed jointly by Dirkjan Bussink of GitHub and
Emeric Brun of HAProxy Technologies.
2014-06-18 18:28:56 +02:00
..
design-thoughts DOC: add a diagram to explain how circular buffers work 2012-04-30 11:57:00 +02:00
internals DOC: internal: add some reminders about HTTP parsing and pointer states 2014-04-22 23:15:29 +02:00
acl.fig
architecture.txt MINOR: patch for minor typo (ressources/resources) 2012-03-21 07:54:41 +01:00
close-options.txt [DOC] add a few old and uncommitted docs 2011-09-05 01:04:44 +02:00
coding-style.txt DOC: add a coding-style file 2011-12-30 17:33:27 +01:00
configuration.txt MEDIUM: ssl: basic OCSP stapling support. 2014-06-18 18:28:56 +02:00
cookie-options.txt [DOC] add a few old and uncommitted docs 2011-09-05 01:04:44 +02:00
gpl.txt
haproxy-en.txt MEDIUM: New cli option -Ds for systemd compatibility 2013-02-13 10:47:49 +01:00
haproxy-fr.txt MEDIUM: New cli option -Ds for systemd compatibility 2013-02-13 10:47:49 +01:00
haproxy.1 DOC: fix a few config typos. 2014-04-14 14:03:08 +02:00
lgpl.txt
proxy-protocol.txt DOC: minor updates to the proxy protocol doc 2014-06-14 11:46:02 +02:00
queuing.fig