Forum Discussion

tatsu's avatar
tatsu
Icon for Nimbostratus rankNimbostratus
Oct 23, 2019

iRule for OSCP auth

Hi.

I'm trying HTTPS traffic offload with client authentication using BIG-IP VE on AWS.

And when Client Cert is expired or revoked, I want to show the user another web page.

I am going to use iRule to implement this.

Now I use private CA and use this for OSCP authentication, but I didn't work as expected.

Both traffic valid cert and revoked cert logged as "tmm[10048]: Rule /Common/_03_test_rule <CLIENTSSL_CLIENTCERT>: Cert verify result - ok".

"03_test_rule"

when CLIENTSSL_CLIENTCERT { 
    set error_code [SSL::verify_result]
    log local0. "Cert verify result - [X509::verify_cert_error_string $error_code]"
}

But in this case, HTTP access worked correctly.

  • Valid Cert -> could access to virtual server
  • Revoked Cert -> could not access to virtual server (Browse msg "Can't connect security to this page")

I wonder why web access is (correctolly) reject but oscp auth return not 27(X509_V_ERR_CERT_REVOKED) but 0(X509_V_OK).

./ltm:Oct 17 15:23:41 ip-10-200-10-10 info tmm[10048]: Rule /Common/_03_test_rule <CLIENTSSL_CLIENTCERT>: Cert verify result - ok

When I use CRL local file for auth, it works fine.

./ltm:Oct 17 15:27:30 ip-10-200-10-10 info tmm1[10048]: Rule /Common/_03_test_rule <CLIENTSSL_CLIENTCERT>: Cert verify result - certificate revoked

BIG IP VE version is BIG-IP ver 15.0.1 build 0.0.11.

Regards,

iRules
LTM
security

6 Replies

Sort By
  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Icon for Cumulonimbus rankCumulonimbus
    Oct 24, 2019

    Hi,

     

    So you are basically attempting to do OCSP verification on LTM only and not via APM ? Right ?

     

    If so I think you cannot do it unless using C3D (but this requires F5 to generate client certificates on the fly to present to backend). But even then, this will just DROP the connexion. Not sure you can present a nice page there.

     

    With APM and OCSP responders objects it's more flexible.

     

    Yoann

     

     

  • tatsu's avatar
    tatsu
    Icon for Nimbostratus rankNimbostratus
    Oct 25, 2019

    Thanks, Yoann.

     

    > So you are basically attempting to do OCSP verification on LTM only and not via APM ?

    Yes, I use LTM only.

     

    > If so I think you cannot do it unless using C3D (but this requires F5 to generate client certificates on the fly to present to backend).

    OK. I understood that it is difficult to send web page with only LTM when auth failer.šŸ˜Š

     

    But, there is still question.

     

    >> I wonder why web access is (correctolly) reject but oscp auth return not 27(X509_V_ERR_CERT_REVOKED) but 0(X509_V_OK).

     

    My recognition, In this case, the return code should be "27" not "0".

    Is it right?

  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Icon for Cumulonimbus rankCumulonimbus
    Oct 25, 2019

    Hi,

    Yes that would be if the F5 actually interrogated the OCSP. But I don't think it does.

    Did you configure clientssl profile to "require" client certificate, and add a CRL object there ? With LTM, only CRL will be able to be checked by default, unless you use C3D.

     

    Yoann

  • tatsu's avatar
    tatsu
    Icon for Nimbostratus rankNimbostratus
    Oct 28, 2019

    Thank you for your reply.

     

    I configured "Client Certificate" required in client ssl profile, and then virtual server' authentication profile is set to "OCSP Prof".

     

     

     

     

     

     

     

     

    In SSL Profile, I didn't add CRL object because I use OCSP Profile.

     

    I can see packets(TCP 8181) on OCSP Responder Server.

    It seems to that LTM use OCSP Responder for CLIENT AUTH.

     

    Do I have to configure C3D?

     

    Regards,

  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Icon for Cumulonimbus rankCumulonimbus
    Oct 28, 2019

    Hi,

     

    OK. Got it.

    No, with this setup, no need for C3D, but the thing is when you try to log result in CLIENTSSL_CLIENTCERT event, this only takes into account what is in the CLIENTSSL profile. So if the certificate is valid in terms of certificate chain, it will always return OK. The Auth profile is not considered in this event. So it's slightly more complex to do this check like this.

     

    Step 1 : check the SSL Cert by the CLIENTSSL profile

    Step 2: check the OCSP

    Step 3: finalise SSL handshake.

     

    There is an OLD irule that showed how to do this, that you could use as starting point.

     

    https://devcentral.f5.com/s/articles/client-cert-request-by-uri-with-ocsp-checking

     

    But it seems that a bit of work will be required to make in work in recent versions of BigIP. If I find a bit of spare time I may try to do it, but not garanteed :-)

     

    Yoann