Forum Discussion

Nimbostratus

Feb 21, 2012

SSL VS w/OCSP responder - Peer cert verify error

I have a SSL VS configured with a client ssl and OCSP authentication profile and I'm observing SSL hanshake failures even though the OCSP response status is successful (0). I enabled "bigpipe db Log.S...

config

design

barneb01_8208

Nimbostratus

Feb 24, 2012

Hi Aaron,

"nmc60.test.com cert" is installed on the client (not f5) and is the cert the f5 is attempting to authenticate via OCSP. The OCSP response is successful but the f5 doesn't like the purpose of the cert. Support had me load the client cert on the f5 and run the following ocsp commands...

openssl verify -purpose sslclient -CAfile PCRT_ALL.crt nmc60.test.com.crt

openssl verify -purpose sslserver -CAfile PCRT_ALL.crt nmc60.test.com.crt

both commands return the same result:

nmc60.test.com.crt: /CN=nmc60.test.com

error 26 at 0 depth lookup:unsupported certificate purpose

We had the admin who provisions the certs modify the purpose and then I ran the openssl command again and got a positive result. Problem now is the OCSP server responds with an "unauthorized" OCSP response with the updated client cert.

The unauthorized response is a different issue, but I'm curious about the following...

What "purpose type" does the f5 expect when verifying the client cert?

Where in the ltm config can I view how the f5 is attempting to verify the cert and can those parameters be changed?

Brian

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)