Forum Discussion
NimbostratusOCSP check iRule issues
Hi,
so, as i have quite some issues with OCSP/client cert checks using a auth profile with attached irule, i wanted to start from scratch.
IF YOU CAN EVEN ONLY ANSWER ONE OF THE QUESTIONS, PLEASE DO SO!
While starting with _sys_auth_ssl_ocsp, i noticed a few things:
1) We shouldnt have to do this, at least when we set set tmm_auth_subscription "*" in CLIENT_ACCEPTED, right?
if {[info exists tmm_auth_subscription]} {
AUTH::subscribe $tmm_auth_ssl_ocsp_sid
}
Though, can it be somehow possible that we get too much AUTH_RESULT events if we set it to "*"?
2) the AUTH_RESULT event will probably produce conn timeouts:
when AUTH_RESULT {
if {[info exists tmm_auth_ssl_ocsp_sid] and \
($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
set tmm_auth_status [AUTH::status]
if {$tmm_auth_status == 0} {
set tmm_auth_ssl_ocsp_done 1
SSL::handshake resume
} elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} {
reject
}
}
}
If the first "if" statement is not true for whatever reason OR we get a tmm_auth_status of -1 (general OCSP error), the held ssl handshake will never finish and we will run into either the ocsp idle timeout or a tcp timeout; so wouldnt it be generally better to ALWAYS to the SSL::handshake resume and just do a "return" after the reject for that special case? Or is there any special reason we shouldnt resume the handshake here?
3) can someone please explain
if {[info exists tmm_auth_ssl_ocsp_sid] and \
($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
to me? AFAIK, last_event_session_id is the last processed auth event generally. In a high load scenario (and cause the AUTH is most likely multithreaded) it may happen that this is not true. Or is the AUTH_RESULT event called for ALL instances, and this if-statement just means that we want the correct instance to process it?
Many thanks in advance, Rene
