Forum Discussion
iRule for OSCP auth
Hi.
I'm trying HTTPS traffic offload with client authentication using BIG-IP VE on AWS.
And when Client Cert is expired or revoked, I want to show the user another web page.
I am going to use iRule to implement this.
Now I use private CA and use this for OSCP authentication, but I didn't work as expected.
Both traffic valid cert and revoked cert logged as "tmm[10048]: Rule /Common/_03_test_rule <CLIENTSSL_CLIENTCERT>: Cert verify result - ok".
"03_test_rule"
when CLIENTSSL_CLIENTCERT {
set error_code [SSL::verify_result]
log local0. "Cert verify result - [X509::verify_cert_error_string $error_code]"
}
But in this case, HTTP access worked correctly.
- Valid Cert -> could access to virtual server
- Revoked Cert -> could not access to virtual server (Browse msg "Can't connect security to this page")
I wonder why web access is (correctolly) reject but oscp auth return not 27(X509_V_ERR_CERT_REVOKED) but 0(X509_V_OK).
./ltm:Oct 17 15:23:41 ip-10-200-10-10 info tmm[10048]: Rule /Common/_03_test_rule <CLIENTSSL_CLIENTCERT>: Cert verify result - ok
When I use CRL local file for auth, it works fine.
./ltm:Oct 17 15:27:30 ip-10-200-10-10 info tmm1[10048]: Rule /Common/_03_test_rule <CLIENTSSL_CLIENTCERT>: Cert verify result - certificate revoked
BIG IP VE version is BIG-IP ver 15.0.1 build 0.0.11.
Regards,
- Yoann_Le_Corvi1Cumulonimbus
Hi,
So you are basically attempting to do OCSP verification on LTM only and not via APM ? Right ?
If so I think you cannot do it unless using C3D (but this requires F5 to generate client certificates on the fly to present to backend). But even then, this will just DROP the connexion. Not sure you can present a nice page there.
With APM and OCSP responders objects it's more flexible.
Yoann
- tatsuNimbostratus
Thanks, Yoann.
> So you are basically attempting to do OCSP verification on LTM only and not via APM ?
Yes, I use LTM only.
> If so I think you cannot do it unless using C3D (but this requires F5 to generate client certificates on the fly to present to backend).
OK. I understood that it is difficult to send web page with only LTM when auth failer.😊
But, there is still question.
>> I wonder why web access is (correctolly) reject but oscp auth return not 27(X509_V_ERR_CERT_REVOKED) but 0(X509_V_OK).
My recognition, In this case, the return code should be "27" not "0".
Is it right?
- Yoann_Le_Corvi1Cumulonimbus
Hi,
Yes that would be if the F5 actually interrogated the OCSP. But I don't think it does.
Did you configure clientssl profile to "require" client certificate, and add a CRL object there ? With LTM, only CRL will be able to be checked by default, unless you use C3D.
Yoann
- tatsuNimbostratus
Thank you for your reply.
I configured "Client Certificate" required in client ssl profile, and then virtual server' authentication profile is set to "OCSP Prof".
In SSL Profile, I didn't add CRL object because I use OCSP Profile.
I can see packets(TCP 8181) on OCSP Responder Server.
It seems to that LTM use OCSP Responder for CLIENT AUTH.
Do I have to configure C3D?
Regards,
- Yoann_Le_Corvi1Cumulonimbus
Hi,
OK. Got it.
No, with this setup, no need for C3D, but the thing is when you try to log result in CLIENTSSL_CLIENTCERT event, this only takes into account what is in the CLIENTSSL profile. So if the certificate is valid in terms of certificate chain, it will always return OK. The Auth profile is not considered in this event. So it's slightly more complex to do this check like this.
Step 1 : check the SSL Cert by the CLIENTSSL profile
Step 2: check the OCSP
Step 3: finalise SSL handshake.
There is an OLD irule that showed how to do this, that you could use as starting point.
https://devcentral.f5.com/s/articles/client-cert-request-by-uri-with-ocsp-checking
But it seems that a bit of work will be required to make in work in recent versions of BigIP. If I find a bit of spare time I may try to do it, but not garanteed :-)
Yoann
- tatsuNimbostratus
Thank you for your reply.
I'm going to try this.
> There is an OLD irule that showed how to do this, that you could use as starting point.
> https://devcentral.f5.com/s/articles/client-cert-request-by-uri-with-ocsp-checking
Regards,
​
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com