Forum Discussion
NimbostratusGet SSL Handshake Alert Fatal 44 with certificate revoked
Hello, If APM refuses a certificate because it has been revoked, the SSL handshake is still accepted and the return code is an HTTP 200 OK to display the notification page. This is very user friendly, but in the case of exchange machine to machine this causes problems because the client is waiting to have the SSL error Alert Fatal code 44 (RFC5246 chap. 7.2) I need know how to get this code back by performing a control OCSP. Either via irule or via APM, or both ...
thanks,
4 Replies
amolariCirrostratus
you should have a variable (shown in the /var/log/apm logs) with that value. You could check in the VPE (after On-demand cert check) and create a branch selection with that "44" value. Then proceed with your action
david78hi amolati, Thank you for your answer, but I do not understand where you're going with VPE and the "On-demande Cert Auth" box. Can you be more explicit? thank you
- boneyard
MVP
could you explain better what you mean with "how to get this code back by performing a control OCSP"
what do you want to happen on the APM side, should it show the code on a webpage or do you want it send to the client on SSL level?
- david78
Hi, when a certificate is revoked, RFC 5246 says that the error code must be "certificate_revoked(44)"
I had this irule from my local contact (put after auth by apm) and it's works fine :
switch $ssl_version { "TLSv1.2" { set hex_version "0303" } "TLSv1.1" { set hex_version "0302" } "TLSv1.0" { set hex_version "0301" } default { reject; return } } set hex_response "15${hex_version}0002022C" set bin_response [binary format H* $hex_response] TCP::respond "$bin_response" TCP::close
