OCSP responder trouble shooting

Here is the iRule we are using. It works on a dev box, which talks to the same OCSP server. Therefore, I believe it does the job. The trace log suggests "doing OCSP" & "authentication status of round 1 $tmm_auth_status" happens in same second.

 

 

One major difference on the infrastructure is that the test box uses DNS lookup to resolve the IP, while the dev box uses the local hosts. Not sure whether that posts any difference.

 

 

when CLIENT_ACCEPTED {

 

set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]

 

}

 

 

when CLIENTSSL_CLIENTCERT {

 

set ssl_cert [SSL::cert 0]

 

 

set id [SSL::sessionid]

 

set hash [b64encode [sha1 $ssl_cert]]

 

set ssl_array [list blah1 blah2 $hash]

 

 

log local0.debug "client certificate base64 encoded: [b64encode $ssl_cert]"

 

 

lset ssl_array 0 [X509::verify_cert_error_string [SSL::verify_result]]

 

 

if {[matchclass 1 equals $::cbz_ocsp_check]} {

 

AUTH::cert_credential $tmm_auth_ssl_ocsp_sid $ssl_cert

 

AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]

 

AUTH::subscribe $tmm_auth_ssl_ocsp_sid

 

AUTH::authenticate $tmm_auth_ssl_ocsp_sid

 

 

log local0.debug "doing OCSP"

 

 

SSL::handshake hold

 

} else {

 

log local0.debug "ocsp bypassed"

 

lset ssl_array 1 "ocsp_bypassed"

 

session add ssl "$id any pool" $ssl_array 21600

 

}

 

}

 

 

when AUTH_RESULT {

 

if {[info exists tmm_auth_ssl_ocsp_sid] and $tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

set tmm_auth_status [AUTH::status]

 

 

log local0.debug "authentication status of round 1 $tmm_auth_status"

 

 

if {$tmm_auth_status eq 0} {

 

Success

 

log local0.debug "OCSP verfication succeeded"

 

SSL::handshake resume

 

lset ssl_array 1 "auth_success"

 

} elseif {$tmm_auth_status eq 1} {

 

Failure

 

log local0.debug "OCSP verfication failed"

 

SSL::handshake resume

 

lset ssl_array 1 "auth_failure"

 

} elseif {$tmm_auth_status eq -1} {

 

Error

 

log local0.debug "OCSP verfication error"

 

lset ssl_array 1 "auth_failure"

 

}

 

else {

 

Not authorised

 

log $tmm_auth_status

 

log local0.debug "OCSP verfication not authorised"

 

reject

 

}

 

 

session add ssl "$id any pool" $ssl_array 21600

 

}

 

}

 

 

when HTTP_REQUEST priority 100 {

 

log local0. "Inside ocsp"

 

 

if {not([matchclass [string tolower [HTTP::path]] contains $::cbz_data_static])} {

 

 

if {[matchclass 1 equals $::cbz_ocsp_check]} {

 

set id [SSL::sessionid]

 

set ssl_array1 [session lookup ssl "$id any pool"]

 

set ssl_data0 [lindex $ssl_array1 0]

 

set ssl_data1 [lindex $ssl_array1 1]

 

 

if { $ssl_data0 contains "expired" } {

 

log local0.debug "Certificate expired"

 

HTTP::path "/common/common.web/html/CertificateExpired.html"

 

} elseif { $ssl_data1 contains "auth_failure" } {

 

log local0.debug "Authentication failure"

 

HTTP::path "/Common/Common.Web/html/OcspFailed.html"

 

 

} elseif { $ssl_data0 contains "ok" } {

 

HTTP::header insert SSLCLientCertStatus $ssl_data1

 

} else {

 

log local0.debug "unknow error"

 

HTTP::path "/common/common.web/html/CertificateError.html"

 

}

 

} else {

 

log local0.debug "Generate ocsp bypass header"

 

HTTP::header insert OcspBypassed 1

 

}

 

}

 

}