auth_result fired twice?

Craig, I've tried your solution but with no luck. However, it is quite interesting to notice that the second auth_result event fires 310 secs later, instead of original 300! Therefore it suggests that the auth profile idle time setting dictates when the second auth_result event occurs (if there is one). In other words, the second auth_result is actually a timeout.

 

 

Apart from that we try to switch off OneConnect profile. Intial test result is quite encouraging. My observation is that when the incident happens, there are concurrent SSL handshake sessions. Chances are OneConnect confuses the OCSP authentication session, and auth object is not closed properly although the authentication result has come back a while ago.

 

 

A while ago, we had a different issue with oneconnect. NTLM authentication module on the web tier, behind LTM, was totally confused by the OneConnect TCP trunck. That's why we suspect whether OCSP gets tricky as well.

 

 

Anyway, code posted here.

 

 

 
when CLIENT_ACCEPTED {
set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
log local0.debug "inside event CLIENT_ACCEPTED $tmm_auth_ssl_ocsp_sid"
}

when CLIENTSSL_CLIENTCERT { 
set ssl_cert [SSL::cert 0]

set id [SSL::sessionid] 
set hash [b64encode [sha1 $ssl_cert]]
set ssl_array [list blah1 blah2 $hash] 

lset ssl_array 0 [X509::verify_cert_error_string [SSL::verify_result]] 
log local0.debug "verify result [lindex $ssl_array 0]"
if {[matchclass 1 equals $::cbz_ocsp_check]} {
AUTH::cert_credential $tmm_auth_ssl_ocsp_sid $ssl_cert
AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0] 
AUTH::subscribe $tmm_auth_ssl_ocsp_sid 
AUTH::authenticate $tmm_auth_ssl_ocsp_sid 

log local0.debug "doing OCSP"

SSL::handshake hold 
} else {
log local0.debug "ocsp bypassed"
lset ssl_array 1 "ocsp_bypassed" 
session add ssl "$id any pool" $ssl_array 21600  
}
} 

when AUTH_RESULT {
if {[info exists tmm_auth_ssl_ocsp_sid] and $tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} { 
set tmm_auth_status [AUTH::status]

log local0.debug "authentication status of round 1 $tmm_auth_status, $tmm_auth_ssl_ocsp_sid"

if {$tmm_auth_status eq 0} {
 Success
log local0.debug "OCSP verfication succeeded"
SSL::handshake resume  
lset ssl_array 1 "auth_success" 
} elseif {$tmm_auth_status eq 1} {
 Failure
log local0.debug "OCSP verfication failed, [AUTH::response_data]"
SSL::handshake resume 
lset ssl_array 1 "auth_failure" 
} elseif  {$tmm_auth_status eq -1} {
 Error
log local0.debug "OCSP verfication error, [AUTH::response_data]"
lset ssl_array 1 "auth_failure" 
}
else {
 Not authorised
log local0.debug "OCSP verfication not authorised"
reject 
}

session add ssl "$id any pool" $ssl_array 21600 
}
}

when HTTP_REQUEST priority 100 { 
log local0. "Inside ocsp"

if {not([matchclass [string tolower [HTTP::path]] contains $::cbz_data_static])} {    

if {[matchclass 1 equals $::cbz_ocsp_check]} {
set id [SSL::sessionid] 
set ssl_array1 [session lookup ssl "$id any pool"] 
set ssl_data0 [lindex $ssl_array1 0] 
set ssl_data1 [lindex $ssl_array1 1]  
log local0.debug "session id: $id ssl_data0: $ssl_data0 ssl_data1: $ssl_data1"

if { $ssl_data0 contains "expired" } { 
log local0.debug "Certificate expired"

HTTP::path "/common/common.web/html/CertificateExpired.html"
} elseif { $ssl_data1 contains "auth_failure" } { 
log local0.debug "Authentication failure"

HTTP::path "/Common/Common.Web/html/OcspFailed.html"

} elseif { $ssl_data0 contains "ok" } { 
HTTP::header insert SSLCLientCertStatus $ssl_data1 
} else {  
log local0.debug "unknow error"

HTTP::path "/common/common.web/html/CertificateError.html"
}
} else {
log local0.debug "Generate ocsp bypass header"
HTTP::header insert OcspBypassed 1
}
}
}