Forum Discussion
OCSP Responder
- Dec 09, 2020
Hi Lidev, thanks for responding...This is actually how I configured but I am not too sure if this is correct, however from the packet capture now I can see ocsp request and ocsp response already, I see we are hitting the remote ocsp. We don't want to use stapling but rather remote ocsp authentication but I am not too sure if I should enable the client authentication.
Would you be able to advise below if all are correct or if anything i missed?
- I created the "ocsp responder", this is where i put the "ocsp responder url".
- I created "ocsp configuration" and attached the "ocsp responder"
- I created "ocsp profile" and attached the "ocsp configuration"
- On the "application virtual server" I attached the "ocsp profile" under the "Authentication profile"
- On the "ssl client profile" of the application virtual server I have enabled the "client authentication", change "client certificate" from ignore to require and then apply the ca certificate under the trusted certificate authorities.
Test result:
- The moment user launch the url the browser prompt to select the certificate
- Select and click OK but page error
From the dump:
I see ocsp request and ocsp response and the status of ocsp response is "unaothorized".
From this point I can tell something wrong with the remote ocsp, however I want to know if my configuration are all correct.
Please, kindly advise. Thanks a lot.
Yes, you need to do some modifications in SSL Client profile.
Please refer below theses links to get informations :
Regards
Hi Lidev, thanks for responding...This is actually how I configured but I am not too sure if this is correct, however from the packet capture now I can see ocsp request and ocsp response already, I see we are hitting the remote ocsp. We don't want to use stapling but rather remote ocsp authentication but I am not too sure if I should enable the client authentication.
Would you be able to advise below if all are correct or if anything i missed?
- I created the "ocsp responder", this is where i put the "ocsp responder url".
- I created "ocsp configuration" and attached the "ocsp responder"
- I created "ocsp profile" and attached the "ocsp configuration"
- On the "application virtual server" I attached the "ocsp profile" under the "Authentication profile"
- On the "ssl client profile" of the application virtual server I have enabled the "client authentication", change "client certificate" from ignore to require and then apply the ca certificate under the trusted certificate authorities.
Test result:
- The moment user launch the url the browser prompt to select the certificate
- Select and click OK but page error
From the dump:
I see ocsp request and ocsp response and the status of ocsp response is "unaothorized".
From this point I can tell something wrong with the remote ocsp, however I want to know if my configuration are all correct.
Please, kindly advise. Thanks a lot.
- LidevDec 09, 2020MVP
Difficult to say without having the configuration files of the BIP-IP but in general it looks OK.
Moreover, if now you see ocsp request/response it's a good sign.
It actually looks like you have problem with the remote ocsp server.
Regards
- f5mkuDefaultDec 10, 2020Cirrus
We were able to find the root cause and it was due to the "Nonse" which is enabled by default and according to microsoft "Nonse" is disabled by default in MS.
But still I cannot find a document from F5 where it says that for remote ocsp authentication I need to enable client authentication under ssl client profile.
Enabling client authentication is for 2 way ssl.
Anyway, Thanks a lot Lidev for helping out.
- LidevDec 14, 2020MVP
You're welcome :) glad to see that you have identified the issue.
Please don't forget to mark your answer as "Select as Best" in order to pass your post as resolved and help other people to find it.
- f5mkuDefaultDec 16, 2020Cirrus
In addition to above, client\user machine must install the client certificate too under personal folder of their browser. Then whatever certificate you apply under the SSL profile > Client authentication, that certificate should be able to identify the client certificate sent by the client\user machine. Else it will fail and you get error page.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com