authentication timeout

Question

I've noticed that OCSP responder never times out. I've managed to make a dummy OCSP server which receives a request &amp; goes to sleep. F5 keeps waiting for the response that never comes back.  That makes the browser waiting as well because the SSL handshake is hanging.&nbsp;
&nbsp;Is there a way to instruct F5 to give up and simply declare the authentication has failed?&nbsp;
&nbsp;I am using BIG-IP 10.2.4

nitass · Answer

Is there a way to instruct F5 to give up and simply declare the authentication has failed?i think you may have to modify ocsp irule. for example, i copied default ocsp irule and put reject command if auth is not done within 5 seconds. 
  
 [root@ve1024:Active] config  b rule myocsp list
rule myocsp {
   when CLIENT_ACCEPTED {
   set tmm_auth_ssl_ocsp_sid 0
   set tmm_auth_ssl_ocsp_done 0
}
when CLIENTSSL_CLIENTCERT {
   set tmm_auth_ssl_ocsp_done 0
   if {$tmm_auth_ssl_ocsp_sid == 0} {
      set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
      if {[info exists tmm_auth_subscription]} {
         AUTH::subscribe $tmm_auth_ssl_ocsp_sid
      }
   }
   AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
   AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
   AUTH::authenticate $tmm_auth_ssl_ocsp_sid

reject after 5,000ms (5s)
   set monitor_id [after 5000 { reject }]

SSL::handshake hold
}
when CLIENTSSL_HANDSHAKE {
   set tmm_auth_ssl_ocsp_done 1
}
when AUTH_RESULT {
    cancle rejection if auth is done before 5s
   if {[info exists monitor_id]} { after cancel $monitor_id }

if {[info exists tmm_auth_ssl_ocsp_sid] and \
      ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
      set tmm_auth_status [AUTH::status]
      if {$tmm_auth_status == 0} {
         set tmm_auth_ssl_ocsp_done 1
         SSL::handshake resume
      } elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} {
         reject
      }
   }
}
}

from packet trace, bigip sent reset (frame 16) after 5 seconds.

No.     Time                       Delta Time  Source                Src port Destination           Dst port Protocol Window     BiF        Vlan id Length Info
      1 2012-06-29 22:48:35.651713 0.000000    172.28.19.253         39185    172.28.19.79          443      TCP      5840                  4094    163    IN  s0/tmm0 : 39185 &gt; 443 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=950608435 TSecr=0 WS=128
      2 2012-06-29 22:48:35.651781 0.000068    172.28.19.79          443      172.28.19.253         39185    TCP      4380                  4094    167    OUT s0/tmm0 : 443 &gt; 39185 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=1 TSval=951519299 TSecr=950608435 SACK_PERM=1
      3 2012-06-29 22:48:35.652989 0.001208    172.28.19.253         39185    172.28.19.79          443      TCP      5888                  4094    155    IN  s0/tmm0 : 39185 &gt; 443 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSval=950608437 TSecr=951519299
      4 2012-06-29 22:48:35.675901 0.022912    172.28.19.253         39185    172.28.19.79          443      SSLv2    5888       123        4094    278    IN  s0/tmm0 : Client Hello
      5 2012-06-29 22:48:35.675946 0.000045    172.28.19.79          443      172.28.19.253         39185    TLSv1    4380       805        4094    960    OUT s0/tmm0 : Server Hello, Certificate, Certificate Request, Server Hello Done
      6 2012-06-29 22:48:35.677892 0.001946    172.28.19.253         39185    172.28.19.79          443      TCP      7552                  4094    155    IN  s0/tmm0 : 39185 &gt; 443 [ACK] Seq=124 Ack=806 Win=7552 Len=0 TSval=950608462 TSecr=951519323
      7 2012-06-29 22:48:35.684862 0.006970    172.28.19.253         39185    172.28.19.79          443      TLSv1    7552       1065       4094    1220   IN  s0/tmm0 : Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message
     15 2012-06-29 22:48:35.784907 0.100045    172.28.19.79          443      172.28.19.253         39185    TCP      5568                  4094    155    OUT s0/tmm0 : 443 &gt; 39185 [ACK] Seq=806 Ack=1189 Win=5568 Len=0 TSval=951519432 TSecr=950608468
     16 2012-06-29 22:48:40.684979 4.900072    172.28.19.79          443      172.28.19.253         39185    TCP      5568                  4094    143    OUT s0/tmm0 : 443 &gt; 39185 [RST, ACK] Seq=806 Ack=1189 Win=5568 Len=0

hooleylist · Answer

If you have more than one OCSP server, it would also be good to configure them in a pool and add that to an internal virtual server.  You could then configure that internal VS as the OCSP responder IP:port.   
&nbsp;  
&nbsp; With or without an OCSP virtual server, you could configure a pool containing the OCSP server(s) with a health monitor and check for [active_members ocsp_pool] &gt; 0 before attempting the auth from the OCSP iRule.  This will help you avoid attempting auth if the OCSP server(s) are unreachable. 
&nbsp;  
&nbsp; Aaron

hui_37443 · Answer

The "after" statement does the trick. 
&nbsp;  
&nbsp; Thanks

Forum Discussion

authentication timeout

Recent Discussions

MAC address of deleted VS IP address still responsive

Different common name ssl acces 403 forbiddent

dynamic signature detection

DNS HM Probe issue

F5 looses the token for the first call

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

iControl REST Authentication Token Management

Doing mTLS Authentication per URL

big3d timeouts

Application Programming Interface (API) Authentication types simplified

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS