auth_result fired twice?

Hi Hui,

 

 

Thanks for that information. A possible workaround is to define a virtual server which load balances a pool of OCSP server(s). If you use a VIP, you can also add a monitor to the pool. In your main OCSP iRule, you can then check the state of the OCSP pool before attempting the remote auth. I put an example of this in the Codeshare:

 

 

 
 http://devcentral.f5.com/wiki/default.aspx/iRules/client_cert_request_by_uri_with_ocsp_checking.html 
           
           TODO: 
           If the OCSP responder is an LTM VIP (used for load balancing multiple OCSP servers) 
           you could add a check here of the OCSP server pool before attempting the OCSP validation. 
           Just change my_ocsp_http_pool to the actual OCSP server pool name. 
  
  
           Check if the OCSP server pool does not have any 
          if {[active_members my_ocsp_http_pool] == 0}{ 
  
              OCSP servers are not available!! 
             log local0.emerg "$log_prefix: OCSP auth pool is down! Resuming SSL handshake and blocking HTTP request." 
  
              Audit logging 
             if {$::ocsp_audit_log_level > 0}{ 
                catch {log -noname local0. "cc_audit: $log_prefix; status_text=OCSP server pool is unavailable. Blocking request."} 
             } 
  
              We could send an HTTP response from this event, but it doesn't actually get sent until 
              the CLIENTSSL_HANDSHAKE event anyhow.  So track that this is an invalid request and set the app auth status code 
              to indicate OCSP validation of the cert failed. 
             set invalidate_session 1 
             SSL::handshake resume 
             return 
          } 
           TODO END: 
           
 

 

 

I also did an example which handles resolution of the hostname for an OCSP server. I'll anonymize that rule and post it to the codeshare.

 

 

Aaron