For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Scot_86001's avatar
Scot_86001
Icon for Nimbostratus rankNimbostratus
Feb 21, 2010

iRule Optimization w/ Certificates?

The iRule below functions and performs as it should. I have been told that what I have below may not be efficient or optimized. I am looking to see if anyone can make some suggestions on how to bett...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Feb 23, 2010
500 is not a bad start! Can you explain why you're trying to check the client cert against a DOD and Verisign OCSP server? Are there two different sets of CA's issuing the client certs?

 

 

The idea with the VIP for the OCSP servers is that you can eventually configure an external monitor which replicates a client OCSP request. If the OCSP server fails to respond to the monitor requests, it would be marked down in the pool and not used.

 

 

To troubleshoot the responder failure, I'd start with a command line request from LTM direct to the server to see if the TCP connection works and if so whether you get an HTTP response. If that works, then try making the same request to the OCSP VIP with only the Verisign server enabled in the pool. If you get an HTTP response from the VIP, then try the client cert VIP again with only the Verisign server enabled in the pool. If the OCSP auth fails, I'd try loosening the validation of the OCSP server(s) in the OCSP responder config.

 

 

Aaron