Forum Discussion

hui_37443's avatar
hui_37443
Icon for Nimbostratus rankNimbostratus
Jun 29, 2012

authentication timeout

I've noticed that OCSP responder never times out. I've managed to make a dummy OCSP server which receives a request & goes to sleep. F5 keeps waiting for the response that never comes back. That makes the browser waiting as well because the SSL handshake is hanging.

 

 

Is there a way to instruct F5 to give up and simply declare the authentication has failed?

 

 

I am using BIG-IP 10.2.4
  • Is there a way to instruct F5 to give up and simply declare the authentication has failed?i think you may have to modify ocsp irule. for example, i copied default ocsp irule and put reject command if auth is not done within 5 seconds.

    [root@ve1024:Active] config  b rule myocsp list
    rule myocsp {
       when CLIENT_ACCEPTED {
       set tmm_auth_ssl_ocsp_sid 0
       set tmm_auth_ssl_ocsp_done 0
    }
    when CLIENTSSL_CLIENTCERT {
       set tmm_auth_ssl_ocsp_done 0
       if {$tmm_auth_ssl_ocsp_sid == 0} {
          set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
          if {[info exists tmm_auth_subscription]} {
             AUTH::subscribe $tmm_auth_ssl_ocsp_sid
          }
       }
       AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
       AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
       AUTH::authenticate $tmm_auth_ssl_ocsp_sid
    
        reject after 5,000ms (5s)
       set monitor_id [after 5000 { reject }]
    
       SSL::handshake hold
    }
    when CLIENTSSL_HANDSHAKE {
       set tmm_auth_ssl_ocsp_done 1
    }
    when AUTH_RESULT {
        cancle rejection if auth is done before 5s
       if {[info exists monitor_id]} { after cancel $monitor_id }
    
       if {[info exists tmm_auth_ssl_ocsp_sid] and \
          ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
          set tmm_auth_status [AUTH::status]
          if {$tmm_auth_status == 0} {
             set tmm_auth_ssl_ocsp_done 1
             SSL::handshake resume
          } elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} {
             reject
          }
       }
    }
    }
    
    from packet trace, bigip sent reset (frame 16) after 5 seconds.
    
    No.     Time                       Delta Time  Source                Src port Destination           Dst port Protocol Window     BiF        Vlan id Length Info
          1 2012-06-29 22:48:35.651713 0.000000    172.28.19.253         39185    172.28.19.79          443      TCP      5840                  4094    163    IN  s0/tmm0 : 39185 > 443 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=950608435 TSecr=0 WS=128
          2 2012-06-29 22:48:35.651781 0.000068    172.28.19.79          443      172.28.19.253         39185    TCP      4380                  4094    167    OUT s0/tmm0 : 443 > 39185 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=1 TSval=951519299 TSecr=950608435 SACK_PERM=1
          3 2012-06-29 22:48:35.652989 0.001208    172.28.19.253         39185    172.28.19.79          443      TCP      5888                  4094    155    IN  s0/tmm0 : 39185 > 443 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSval=950608437 TSecr=951519299
          4 2012-06-29 22:48:35.675901 0.022912    172.28.19.253         39185    172.28.19.79          443      SSLv2    5888       123        4094    278    IN  s0/tmm0 : Client Hello
          5 2012-06-29 22:48:35.675946 0.000045    172.28.19.79          443      172.28.19.253         39185    TLSv1    4380       805        4094    960    OUT s0/tmm0 : Server Hello, Certificate, Certificate Request, Server Hello Done
          6 2012-06-29 22:48:35.677892 0.001946    172.28.19.253         39185    172.28.19.79          443      TCP      7552                  4094    155    IN  s0/tmm0 : 39185 > 443 [ACK] Seq=124 Ack=806 Win=7552 Len=0 TSval=950608462 TSecr=951519323
          7 2012-06-29 22:48:35.684862 0.006970    172.28.19.253         39185    172.28.19.79          443      TLSv1    7552       1065       4094    1220   IN  s0/tmm0 : Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message
         15 2012-06-29 22:48:35.784907 0.100045    172.28.19.79          443      172.28.19.253         39185    TCP      5568                  4094    155    OUT s0/tmm0 : 443 > 39185 [ACK] Seq=806 Ack=1189 Win=5568 Len=0 TSval=951519432 TSecr=950608468
         16 2012-06-29 22:48:40.684979 4.900072    172.28.19.79          443      172.28.19.253         39185    TCP      5568                  4094    143    OUT s0/tmm0 : 443 > 39185 [RST, ACK] Seq=806 Ack=1189 Win=5568 Len=0
    
  • If you have more than one OCSP server, it would also be good to configure them in a pool and add that to an internal virtual server. You could then configure that internal VS as the OCSP responder IP:port.

     

     

    With or without an OCSP virtual server, you could configure a pool containing the OCSP server(s) with a health monitor and check for [active_members ocsp_pool] > 0 before attempting the auth from the OCSP iRule. This will help you avoid attempting auth if the OCSP server(s) are unreachable.

     

     

    Aaron