For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Robert_Decker_2's avatar
Robert_Decker_2
Icon for Nimbostratus rankNimbostratus
Apr 24, 2006

Does HTTP::respond or HTTP::redirect work with OCSP?

Could anybody tell me if redirect or respond works with ssl ocsp AUTH_FAILURE and AUTH_ERROR? I've been able to make it work with LDAP, but not ssl ocsp. I get errors like:       0107...
application delivery
dev
devops
iRules
Robert_Decker_2's avatar
Robert_Decker_2
Icon for Nimbostratus rankNimbostratus
Apr 28, 2006
I tried a 401 response with the following log:

 

 

Fri Apr 28 11:52:49 CDT 2006 tmm tmm[1042] 01220001 TCL error: Rule does_not_work2 AUTH_FAILURE - Operation not supported line 2 invoked from within HTTP::respond 401

 

 

 

 

 

when CLIENT_ACCEPTED {

 

set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]

 

}

 

 

 

when CLIENTSSL_HANDSHAKE {

 

set cur [SSL::sessionid]

 

set ask [session lookup ssl $cur]

 

if { $ask eq "" } { session add ssl [SSL::sessionid] [SSL::cert 0] }

 

}

 

 

 

 

when CLIENTSSL_CLIENTCERT {

 

AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]

 

AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]

 

AUTH::authenticate $tmm_auth_ssl_ocsp_sid

 

SSL::handshake hold

 

set id [SSL::sessionid]

 

}

 

 

 

when AUTH_SUCCESS {

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

SSL::handshake resume

 

}

 

}

 

when AUTH_FAILURE {

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

HTTP::respond 401

 

}

 

}

 

when AUTH_WANTCREDENTIAL {

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

reject

 

}

 

}

 

when AUTH_ERROR {

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

reject

 

}

 

}

 

 

 

 

when HTTP_REQUEST {

 

set id [SSL::sessionid]

 

set the_cert [session lookup ssl $id]

 

log local0. "the cert is $the_cert"

 

if { $the_cert != ""} {

 

HTTP::header insert CertAuth "PASS"

 

HTTP::header insert SSLClientCertSubject [X509::subject $the_cert]

 

HTTP::header insert SSLClientCertIssuer [X509::issuer $the_cert]

 

HTTP::header insert SSLClientCertValidFrom [X509::not_valid_before $the_cert]

 

HTTP::header insert SSLClientCertValidUntil [X509::not_valid_after $the_cert]

 

HTTP::header insert SSLClientCert [b64encode $the_cert]

 

}

 

if { $the_cert == ""} {

 

HTTP::header insert CertAuth "Fail"

 

}

 

}

 

 

 

Any thoughts? Is there a specific response to be used with ocsp?

 

 

Thank you,

 

Rob