Forum Discussion

JohnVI_45924's avatar
JohnVI_45924
Icon for Nimbostratus rankNimbostratus
Jan 17, 2012

OCSP and BigIp Irules for External Client Certificate Requests

I went through and found an article that talks to part of my questions, but I'm still not 100% on how to accomplish this with our current F5 setup. Im trying to set this up for client certificate revocation checking, and not for any sort of SSL setups.

 

 

I currently am bringing up OCSP service Via a Microsoft Server 208 R2 machine with the OCSP role installed. We will have 1 responder inside the network, that fetches its CRL and delta updates from obviously the CA.

 

 

In Microsofts design scenario below, they are very vague with regards to how this is accomplished..

 

 

http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx

 

 

In Figure 3, Microsoft Internet Security and Acceleration (ISA) is configured as a reverse proxy located in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet). The Online Responder is located in a protected local area network (LAN), while all requests are redirected by an authenticated server that is running ISA.

 

 

We don't use ISA, but do use F5. With our OCSP server being on the inside, does anyone have any insight as to how I can safely accomplish a Client to OCSP server request? OCSP travels over 80, and implementing OCSP through SSL is not an option as things WILL break. I just need to know how I can accomplish what this document is asking, using iRules and BigIP..

 

 

My main concerns are:

 

 

What direction to open, OCSP hits the responder and the OCSP responder hits the CA if it needs to for the specific request being sent by the client. So bi-directional traffic would in theory be needed for the client to send and recieve a signed OCSP response from the server..

 

 

How can I safely accomplish this using our current F5 infrastructure..

 

 

I found this but its speaking to SSL proxy, I'm using OCSP VIA a PKI, not really using it for SSL .

 

 

http://support.f5.com/kb/en-us/archived_products/big-ip/manuals/product/bigip4_5features/BIGip_OCSP.print.html

 

 

 

  • The purpose of OCSP is to verify the clients SSL certificate is valid. In order to process a client certificate on LTM, you need to use a client SSL profile. To check it against an OCSP server, you'll need an advanced client authentication (ACA) addon license. Do you have this license already? If not, you can check with your F5 or partner account manager for a quote.

     

     

    Once you have the license, you can use an OCSP profile to validate the client cert. The OCSP responder can be on a TMM interface on an "internal" or "external" VLAN. There's no functional difference between the two from TMM's perspective. The OCSP call is done over HTTP, but the client to LTM virtual server traffic is via SSL.

     

     

    Aaron
  • Okay, I guess I'm not making the connection when you say the purpose OCSP is to verify a clients SSL cert. In my case, not really. OCSP is just another form a revocation checking, focusing on the delta . OCSP is not just for SSL connections, and used to only validate a SSL based certificate. OCSP is just a flavor of validity checking against a certificate, SSL based, SMIME-Email based, etc. So, I guess back to my question of if I have a OCSP responder internal, and want to setup some irule base on my F5 to redirect clients validating revocation in the form of an OCSP check, how could I do this with our F5 and iRules safely

     

     

    I very much appreciate your response, just want to clarify a bit further from my end..

     

     

    Thank you, please let me know your thoughts..

     

     

    J
  • Okay, I guess I'm not making the connection when you say the purpose OCSP is to verify a clients SSL cert. In my case, not really. OCSP is just another form a revocation checking, focusing on the delta . OCSP is not just for SSL connections, and used to only validate a SSL based certificate. OCSP is just a flavor of validity checking against a certificate, SSL based, SMIME-Email based, etc. So, I guess back to my question of if I have a OCSP responder internal, and want to setup some irule base on my F5 to redirect clients validating revocation in the form of an OCSP check, how could I do this with our F5 and iRules safely

     

     

    I very much appreciate your response, just want to clarify a bit further from my end..

     

     

    Thank you, please let me know your thoughts..

     

     

    J
  • Okay, I guess I'm not making the connection when you say the purpose OCSP is to verify a clients SSL cert. In my case, not really. OCSP is just another form a revocation checking, focusing on the delta . OCSP is not just for SSL connections, and used to only validate a SSL based certificate. OCSP is just a flavor of validity checking against a certificate, SSL based, SMIME-Email based, etc. So, I guess back to my question of if I have a OCSP responder internal, and want to setup some irule base on my F5 to redirect clients validating revocation in the form of an OCSP check, how could I do this with our F5 and iRules safely

     

     

    I very much appreciate your response, just want to clarify a bit further from my end..

     

     

    Thank you, please let me know your thoughts..

     

     

    J
  • Okay, I guess I'm not making the connection when you say the purpose OCSP is to verify a clients SSL cert. In my case, not really. OCSP is just another form a revocation checking, focusing on the delta . OCSP is not just for SSL connections, and used to only validate a SSL based certificate. OCSP is just a flavor of validity checking against a certificate, SSL based, SMIME-Email based, etc. So, I guess back to my question of if I have a OCSP responder internal, and want to setup some irule base on my F5 to redirect clients validating revocation in the form of an OCSP check, how could I do this with our F5 and iRules safely

     

     

    I very much appreciate your response, just want to clarify a bit further from my end..

     

     

    Thank you, please let me know your thoughts..

     

     

    J
  • I see your point. You could use OCSP to check a client cert regardless of how it's received. For LTM I've only ever seen it supplied via SSL for web apps so that was my confusion.

    So more generally, you can use the LTM AUTH:: commands to verify a client cert against an OCSP server. However you get the cert, you'd use something like this (with the cert being saved in $PEM_ENCODED_CLIENT_CERT):

    http://devcentral.f5.com/wiki/iRules.auth.ashx

    when  {
     Check if there isn't already a TMM authentication OCSP session ID
    if {$tmm_auth_ssl_ocsp_sid == 0} {
    
     [AUTH::start pam default_ssl_ocsp] returns an authentication session ID
    set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
    
    if {[info exists tmm_auth_subscription]} {
    AUTH::subscribe $tmm_auth_ssl_ocsp_sid
    }
    }
    AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
    AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid $PEM_ENCODED_CLIENT_CERT
    AUTH::authenticate $tmm_auth_ssl_ocsp_sid
    
     Need to call a protocol specific hold command while the auth attempt is made to OCSP
     HTTP::collect
     TCP::collect
    }
    when AUTH_RESULT {
    
     AUTH::status values:
     http://devcentral.f5.com/wiki/default.aspx/iRules/AUTH__status.html
      0 = success
      1 = failure
     -1 = error
      2 = not-authed
    
     Check if there is an existing TMM SSL OCSP session ID
    if {[info exists tmm_auth_ssl_ocsp_sid] and ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
    
     Save the auth status
    set tmm_auth_status [AUTH::status]
    
    if {$tmm_auth_status == 0 } {
    
     OCSP auth was successful, so resume the session
    HTTP::release
    TCP::release
    
    } else {
    
     OCSP auth failed
    }
    }
    }
    

    Aaron