OCSP not working with dual certs

[randall]

Recently we noticed that OCSP is not working for SSL configurations that are setup for dual certs. On startup, there's a warning about failing to configure OCSP for the set of certificates.

Currently we're running ATS 7.1.3(with the patch from #3004) with OpenSSL 1.1.0g. I've verified this also occurs on 7.1.1 with OpenSSL 1.0.2l

We have a configuration like this in ssl_multicert.config:
ssl_cert_name=sub.domain.com.rsa,sub.domain.com.ecdsa

On load, we see these messages in the logs regarding these certs:

traffic_server[57147]: {0x2aaaaaecc260} NOTE: cannot get issuer certificate from sub.domain.com.rsa,sub.domain.com.ecdsa
traffic_server[57147]: {0x2aaaaaecc260} WARNING: fail to configure SSL_CTX for OCSP Stapling info for certificate at sub.domain.com.rsa,sub.domain.com.ecdsa
traffic_server[57147]: {0x2aaaaaecc260} NOTE: certificate already initialized for sub.domain.com.rsa,sub.domain.com.ecdsa
traffic_server[57147]: {0x2aaaaaecc260} WARNING: fail to configure SSL_CTX for OCSP Stapling info for certificate at sub.domain.com.rsa,sub.domain.com.ecdsa
traffic_server[57147]: {0x2aaaaaecc260} WARNING: previously indexed ',sub.domain.com' with SSL_CTX 0x9d, cannot index it with SSL_CTX #158 now

Requests querying for certificate status for that domain, also result in an error message (for each request)

traffic_server[57147]: {0x2aaab35a8700} ERROR: ssl_callback_ocsp_stapling: failed to get certificate information

(can be triggered by "curl --cert-status ...")

[thelounge-zz]

we can be happy that multi certs work at all looking how fragile the code is given that every multicert config triggers errors like below which leads here in many UNDRET such messages spitting diags.log full for no purpose and lead in don't fnd serious things there because that repeates which every reload

[Apr 29 10:05:14.253] Server {0x7f0cad7ff700} WARNING: previously indexed 'contentlounge.buildserver.thelounge.net' with SSL_CTX 0x2f0, cannot index it with SSL_CTX #753 now
[Apr 29 10:05:14.258] Server {0x7f0cad7ff700} WARNING: previously indexed 'default.buildserver.thelounge.net' with SSL_CTX 0x2f1, cannot index it with SSL_CTX #754 now

[mlibbey]

@thelounge-zz your report is a dupe of #3498, which has #3520

[thelounge-zz]

@mlibbey i reported that months ago in a own bugreport because looking at the logs ATS don't support dual-stack at all which was not true and so that warnings are completly misleading, actually "ssl_cert_name" needs to listen both comma separated instead with own files making generate configs harden then it needs - but anyways, that logflood needs to go away better yetserday than tomorrow

currently the whole "diags.log" is useless because looking fro real problems is seeking a needle in a haystack

[abh]

Was this supposed to get closed? I see the same warning that @randall reported on 8.0.1.

[zwoop]

I don’t recall, @randall ?

[jvgutierrez]

I've just tested this with ATS 8.0.2. I get the warning but OCSP stapling appears to be working:

[Mar 14 10:18:41.936] {0x2b4070014240} WARNING: failed to configure SSL_CTX for OCSP Stapling info for certificate at rsa.crt,ecdsa.crt

tests using openssl s_client:

willikins:~ vgutierrez$ echo | openssl s_client -connect localhost:3129 -servername pinkunicorn.wikimedia.org -status -cipher ECDHE-RSA-AES128-GCM-SHA256 2>/dev/null |grep -i ocsp
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
willikins:~ vgutierrez$ echo | openssl s_client -connect localhost:3129 -servername pinkunicorn.wikimedia.org -status -cipher ECDHE-ECDSA-AES256-GCM-SHA384  2>/dev/null|grep -i ocsp
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response

[randall]

The other PR needed for OCSP dual certs (for 8.x) is #4762