OCSP responder trouble shooting

Hi Hui,

 

 

I ran into a similar issue while testing an OCSP iRule in that I wasn't able to get any details on why the OCSP lookup failed. F5 development came up with a fix as described in CR126501:

 

 

 

The solution is to return additional information via AUTH::response_data, which is what we already did for LDAP. The DevCentral Wiki page has more information on that command. For OCSP, the key to use is "ocsp:response:status". For the particular case that this customer is interested in, where the server is unreachable, the error message we return is "Error (Could not connect to server)". It is important to note the second paragraph on the DevCentral page. It states: "AUTH::subscribe must first be called to register interest in query results prior to calling AUTH::authenticate. As a convenience when using the builtin system auth rules, these rules will call AUTH::subscribe if the variable tmm_auth_subscription is set. Instead of calling AUTH::subscribe directly, we recommend setting tmm_auth_subscription to "*" when using the builtin system auth rules in the interest of forward-compatibility." If AUTH::response_data is returning no data at all, it's probably because the AUTH::subscribe steps above were not taken.

 

 

 

 

This fix is available in a hotfix for 9.4.8.

 

 

Aaron