OCSP check iRule issues

Hi,

so, as i have quite some issues with OCSP/client cert checks using a auth profile with attached irule, i wanted to start from scratch.

IF YOU CAN EVEN ONLY ANSWER ONE OF THE QUESTIONS, PLEASE DO SO!

While starting with _sys_auth_ssl_ocsp, i noticed a few things:

1) We shouldnt have to do this, at least when we set set tmm_auth_subscription "*" in CLIENT_ACCEPTED, right?

if {[info exists tmm_auth_subscription]} {
   AUTH::subscribe $tmm_auth_ssl_ocsp_sid
}

Though, can it be somehow possible that we get too much AUTH_RESULT events if we set it to "*"?

2) the AUTH_RESULT event will probably produce conn timeouts:

when AUTH_RESULT {
    if {[info exists tmm_auth_ssl_ocsp_sid] and \
        ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
        set tmm_auth_status [AUTH::status]
        if {$tmm_auth_status == 0} {
            set tmm_auth_ssl_ocsp_done 1
            SSL::handshake resume
        } elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} {
            reject
        }
    }
}

If the first "if" statement is not true for whatever reason OR we get a tmm_auth_status of -1 (general OCSP error), the held ssl handshake will never finish and we will run into either the ocsp idle timeout or a tcp timeout; so wouldnt it be generally better to ALWAYS to the SSL::handshake resume and just do a "return" after the reject for that special case? Or is there any special reason we shouldnt resume the handshake here?

3) can someone please explain

if {[info exists tmm_auth_ssl_ocsp_sid] and \
        ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {

to me? AFAIK, last_event_session_id is the last processed auth event generally. In a high load scenario (and cause the AUTH is most likely multithreaded) it may happen that this is not true. Or is the AUTH_RESULT event called for ALL instances, and this if-statement just means that we want the correct instance to process it?

Many thanks in advance, Rene