Forum Discussion
barneb01_8208
Nimbostratus
NimbostratusSSL VS w/OCSP responder - Peer cert verify error
I have a SSL VS configured with a client ssl and OCSP authentication profile and I'm observing SSL hanshake failures even though the OCSP response status is successful (0). I enabled "bigpipe db Log.Ssl.Level debug" and received the following messages. Any ideas on how to troubleshoot this issue is appreciated.
Feb 21 14:39:44 local/tmm1 debug tmm1[5209]: 01260006:7: Peer cert verify error: unsupported certificate purpose (depth 0; cert /CN=nmc60.test.com)
Feb 21 14:39:44 local/tmm1 debug tmm1[5209]: 01260009:7: Connection error: ssl_shim_vfycert:2348: unsupported certificate purpose (42)
Below is the config I am using...
BIG-IP 10.2.1
virtual test_PUAC {
snat automap
pool test_PUAC
destination 192.168.192.200:https
ip protocol tcp
auth pr_sslocsp_test_nmc_pcrt10
profiles {
http {}
tcp {}
test_PCRT_wildcard {
clientside
}
}
}
profile auth pr_sslocsp_test_nmc_pcrt10 {
defaults from ssl_ocsp
config ocsp_resp_nmc_pcrt10_conf
type ssl ocsp
credential source http basic auth
}
auth ssl ocsp ocsp_resp_nmc_pcrt10_conf {
responders ocsp_resp_test_NMC_PCRT10
}
ocsp responder ocsp_resp_test_NMC_PCRT10 {
url "http://10.16.232.247/ocsp"
ca file "PCRT_ALL.crt"
signer "PCRT_Root-wildcard.crt"
sign key "PCRT_Root-wildcard.key"
}
profile clientssl test_PCRT_wildcard {
defaults from clientssl
key "PCRT_Root-wildcard.key"
cert "PCRT_Root-wildcard.crt"
chain "PCRT_ALL.crt"
ca file "PCRT_ALL.crt"
client cert ca "PCRT_ALL.crt"
peer cert mode require
}
Brian
4 Replies
hoolioCirrostratus
Hi Brian,
It sounds like someone's cert (the client or possibly the OCSP server) isn't set with a valid purpose (client or OCSP server). Who has the nmc60.test.com cert installed?
Aaron
barneb01_8208Hi Aaron,
"nmc60.test.com cert" is installed on the client (not f5) and is the cert the f5 is attempting to authenticate via OCSP. The OCSP response is successful but the f5 doesn't like the purpose of the cert. Support had me load the client cert on the f5 and run the following ocsp commands...
openssl verify -purpose sslclient -CAfile PCRT_ALL.crt nmc60.test.com.crt
openssl verify -purpose sslserver -CAfile PCRT_ALL.crt nmc60.test.com.crt
both commands return the same result:
nmc60.test.com.crt: /CN=nmc60.test.com
error 26 at 0 depth lookup:unsupported certificate purpose
OK
We had the admin who provisions the certs modify the purpose and then I ran the openssl command again and got a positive result. Problem now is the OCSP server responds with an "unauthorized" OCSP response with the updated client cert.
The unauthorized response is a different issue, but I'm curious about the following...
What "purpose type" does the f5 expect when verifying the client cert?
Where in the ltm config can I view how the f5 is attempting to verify the cert and can those parameters be changed?
Brian
Emad_26973Cirrus
Any Update on this thread as I am facing the same issue.
- barneb01_8208
Hi Emad, Review the "Client Authentication" settings of the SSL client profile assigned to the VS, and note the available "client certificate" options (ignore, require, request).
The "require" setting enforces Client Certificate Authentication w/OCSP. The BIG-IP will request a client certificate and attempt to verify it. An SSL session is established ONLY if a valid client certificate from a trusted CA was presented AND if the client certificate was configured with the "ssl client" purpose.
Brian
