Forum Discussion
JohnVI_45924
Nimbostratus
NimbostratusOCSP and BigIp Irules for External Client Certificate Requests
I went through and found an article that talks to part of my questions, but I'm still not 100% on how to accomplish this with our current F5 setup. Im trying to set this up for client certificate revo...
hoolio
Cirrostratus
CirrostratusI see your point. You could use OCSP to check a client cert regardless of how it's received. For LTM I've only ever seen it supplied via SSL for web apps so that was my confusion.
So more generally, you can use the LTM AUTH:: commands to verify a client cert against an OCSP server. However you get the cert, you'd use something like this (with the cert being saved in $PEM_ENCODED_CLIENT_CERT):
http://devcentral.f5.com/wiki/iRules.auth.ashx
when {
Check if there isn't already a TMM authentication OCSP session ID
if {$tmm_auth_ssl_ocsp_sid == 0} {
[AUTH::start pam default_ssl_ocsp] returns an authentication session ID
set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
if {[info exists tmm_auth_subscription]} {
AUTH::subscribe $tmm_auth_ssl_ocsp_sid
}
}
AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid $PEM_ENCODED_CLIENT_CERT
AUTH::authenticate $tmm_auth_ssl_ocsp_sid
Need to call a protocol specific hold command while the auth attempt is made to OCSP
HTTP::collect
TCP::collect
}
when AUTH_RESULT {
AUTH::status values:
http://devcentral.f5.com/wiki/default.aspx/iRules/AUTH__status.html
0 = success
1 = failure
-1 = error
2 = not-authed
Check if there is an existing TMM SSL OCSP session ID
if {[info exists tmm_auth_ssl_ocsp_sid] and ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
Save the auth status
set tmm_auth_status [AUTH::status]
if {$tmm_auth_status == 0 } {
OCSP auth was successful, so resume the session
HTTP::release
TCP::release
} else {
OCSP auth failed
}
}
}
Aaron
