In Maistra Envoy we rely on OpenSSL to select a server-side certificate chain to use when multiple chains are configured in an SSL_CTX. OpenSSL selection process doesn't take into account presence and status of an OCSP response however.

This can lead to a situation when a client requests an OCSP response, but a certificate chain with a missing/expired OCSP response is selected, leading to an SSL handshake failure (see TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst in test/extensions/transport_sockets/tls/ssl_socket_test.cc).

A possible approach is to use a cert_cb (see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cert_cb.html) and check OCSP response validity then. Using this callback raises a question of cert chain compatibility with the client-side cert and how to handle it (incompatible ECs for example).