OCSP stapling with HAProxy as a server

[vkssv]

This patch allows to load and validate OCSP response file in DER format, when haproxy starts. This file should be kept at the same path as the using server certificate and *.issuer file (set as ssl crt keyword value at haproxy's bind line):

bind *:1443 ssl crt show_ocsp_server.pem

~/haproxy master$ ls -al show_ocsp_server.pem*
-rw-r--r-- 1 root root 6918 mai   16 19:25 show_ocsp_server.pem
-rw-r--r-- 1 root root 1830 mai   16 19:25 show_ocsp_server.pem.issuer
-rw-r--r-- 1 root root 2281 mai   16 19:25 show_ocsp_server.pem.ocsp

Description

Please describe the scope of the fix or feature addition.

Fixes zd#

Testing

How did you test?

Checklist

• added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[wolfSSL-Bot]

Can one of the admins verify this patch?

[dgarske]

Hi @vkssv ,

Can you tell me more about your project? I don't see you on our contributor list. Please send an email to support@ wolfssl.com and reference this PR to start the process for getting setup as a contributor.

Okay to test

Thanks, David Garske, wolfSSL

[dgarske]

@vkssv

The HAProxy test fails the ./tests/unit.test

FAILURES:
   648: test_wolfSSL_i2d_OCSP_CERTID

[vkssv]

Hello @dgarske !

I've provided this patch in order to illustrate and reproduce our problem with OCSP stapling, described at #7588.

So we are not intended to merge this. Just to help you to debug or provide us some hints, how we could use OCSP OpenSSL compatible d2i_OCSP_CERTID and i2d_OCSP_CERTID APIs.

Thanks in advance,

[dgarske]

@rizlik is working on fixing this internally. I will go ahead and close this.

[dgarske]

See #7779