Forum Discussion

Biche_XD_185704's avatar
Biche_XD_185704
Icon for Nimbostratus rankNimbostratus
Oct 03, 2018

[OCSP Stapling] Globalsign configuration

Hi everyone, My objective is simple : I want to set OCSP Stappling configuration on my HTTPS VIP.

For that, I follow this article

For information, Globalsign is my SSL provider and I have wildcard certificate.

For test, i create in /tmp a folder that contant 4 files :

root_ca.pem --> root certificate off Globalsign inter_ca.pem --> Intermediate certificate off Globalsign chain.pem --> Concatenation off root_ca.pem and inter_ca.pem server.crt --> My server certificate (set in ssl profile on my HTTPS VIP)

If I follow the article : 

openssl verify -CAfile chain_ca.pem server.crt 
server.crt: OK
`


`openssl ocsp -issuer inter_ca.pem -cert server.crt -text -header "HOST" "ocsp2.globalsign.com" -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2 -CAfile chain_ca.pem`

`Response verify OK
server.crt: good
    This Update: Oct  3 15:33:38 2018 GMT
    Next Update: Oct  7 15:33:38 2018 GMT
`

Here, all is OK.

Then, I configure a DNS Resolver (respond to dig request)

Here is my OCSP Config :

Finally configure OCSP Stapling profile on my SSL profile

So, here is the problem : 

`openssl s_client -connect mysite.com.com:443 -tlsextdebug -status | grep -i "ocsp response" -B 5 -A 10
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify return:1
depth=0 C = FR, ST = HAUTS-DE-SEINE, L = BOULOGNE-BILLANCOURT, O = Mycompany, CN = *.mysite.com
verify return:1
CONNECTED(00000003)
TLS server extension "renegotiation info" (id=65281), len=1
0001 - 
OCSP response: no response sent
---
Certificate chain
 0 s:/C=FR/ST=HAUTS-DE-SEINE/L=BOULOGNE-BILLANCOURT/O=Mycompany SA/CN=*.mysite.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFXjCCBEagAwIBAgIMC5i5tRV4nZMVggsYMA0GCSqGSIb3DQEBCwUAMGYxCzAJ


The problem is than no DNS request is made by F5 (tcpdump is empty). And no access request is made to ocsp2.globalsign.com
F5 is in version 12.1.1 build 2
As anyone to try this with Globalsign ? 
Thanks a lot or your help
application delivery
BIG-IP
LTM
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 04, 2018

    When you created the DNS Resolver, did you create a Forward Zone for "."? It's a little hard to see in the screenshots, but the DNS Resolver is pretty much useless without it.

     

    This sounds more like a routing or DNS issue than anything else, especially if it's not even attempting to request the OCSP status.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 04, 2018

    Can you send a screenshot of your OCSP Stapling config, or describe how you've configured it?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 05, 2018

    Okay, so maybe two things:

     

    Trusted Certificate Authorities : p_ssl_ocsp_inter_ca --> Certificate who contain Intermediade Globalsign Certificate

     

    This needs to be the complete CA chain, not just the immediate CA signer.

     

    Clock Skew : 300s

     

    Can you also verify that your time is in sync?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 09, 2018

    You can use ssldump to determine if stapling is actually happening.

    ssldump -AdNn -i [client side VLAN] port 443 [and any other filters]

    You'll see the status_request message in the Client Hello, and if the server supports it, a stapled response in Certificate Status. And compare this to a known-good stapling site like https://www.bing.com.

    If you do see stapling transactions, it could be that Firefox (or SSLLabs) doesn't specifically trust the signer of your stapled response.

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Oct 09, 2018

    Hi Kevin,

    This is an interesting thread... i already tried to make it work but didn't spend much time to troubleshoot.

    I have a question about the best configuration to make it work.

    If we have following certificate tree:

    • RootCA
      • IntermediateCA1
        • IntermediateCA2
          • ServerCA

    In clientSSL profile, I configure these certificates:

    Cert

    -----BEGIN CERTIFICATE-----
ServerCA Base64 encoded
-----END CERTIFICATE-----

    Chain (not including Root CA certificate)

    -----BEGIN CERTIFICATE-----
IntermediateCA2 Base64 encoded
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE-----
IntermediateCA1 Base64 encoded
-----END CERTIFICATE-----

    What certificate must be set in OCSP Trusted Certificate Authorities and Trusted Responders?