For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Johnny_Test_197's avatar
Johnny_Test_197
Icon for Nimbostratus rankNimbostratus
Aug 24, 2015

Monitor that uses openssl for OCSP

I'm looking to create a probe that can ascertain if our OSCP nodes are processing requests properly, instead of a standard TCP probe. I was hoping to use something similar to this "openssl ocsp -url...
application delivery
design
LTM
monitor
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 24, 2015

You may have to tweak this a bit to get exactly what you want, but based on the sample (Bash) monitor:

 

!/bin/sh

 these arguments supplied automatically for all external pingers:
 $1 = IP (::ffff:nnn.nnn.nnn.nnn notation or hostname)
 $2 = port (decimal, host byte order)
 $3 and higher = additional arguments

 $MONITOR_NAME = name of the monitor

 In this sample script, $3 is the regular expression


 Name of the pidfile
pidfile="/var/run/$MONITOR_NAME.$1..$2.pid"

 Send signal to the process group to kill our former self and any children
 as external monitors are run with SIGHUP blocked
if [ -f $pidfile ]
then
    kill -9 -`cat $pidfile` > /dev/null 2>&1
fi

echo "$$" > $pidfile

 Remove the IPv6/IPv4 compatibility prefix
node_ip=`echo $1 | sed 's/::ffff://'`

 Using the nc utility to get data from the server.
 Search the data received for the expected expression.
openssl ocsp -CAfile subca1.f5labs.com.cer -issuer subca1.f5labs.com.cer -serial 4 -noverify -url http://$node_ip:$2 |grep "4: good" > /dev/null

status=$?
if [ $status -eq 0 ]
then
     Remove the pidfile before the script echoes anything to stdout and is killed by bigd
    rm -f $pidfile
    echo "up"
fi

 Remove the pidfile before the script ends
rm -f $pidfile

 

Then just apply this is as a standard external monitor.