Forum Discussion
NimbostratusTroubleshooting OCSP Stapling & error : OCSP failure on profile
Hi,
We configure clientssl profile with ocsp stapling profile in BIG IP 11.6.1. To configure this for a Thawte certificate, we used this documentation : * SOL17111035: Configuring OCSP stapling * Configuring OCSP Stapling on BIG-IP * Mozilla WIKI - Security/TLS Configurations
For a lot of certificate, it's ok, but not for Thwate certificate.
We obtain this error : OCSP failure on profile /Common/clientssl_test.fr, certificate with issuer /C=US/O=thawte, Inc./CN=thawte SSL CA - G2 and serial number ffffffffffffffff: Validation of the OCSP response returned error - response validity does not fall in the acceptable time duration
I don't understand why we used serial number ffffffffffffffff, because it's not the serial number of my certificate.
BIG IP it's behind a firewall. We configured an DNS resolver and it's ok to used it.
In BIG IP appliance, we test it with openssl command line and it's ok to get ocsp stapling response : openssl ocsp -issuer THAWTE_Bundle_SHA256.crt -cert -text -url http://tj.symcd.com -CAfile THAWTE_Bundle_SHA256_ALL.crt
Anybody has an idea ?
Best regards
2 Replies
I had this same issue after upgrading my lab system to version 12. A bit of googling fond only this thread. A bit of backend searching found the solution is to change it to 7 days (in seconds) = 604800
Once I did that all is well again - Yahoo
According to following SOL article F5 now accepts new status age parameters: SOL16810: The Status Age parameter of the OCSP Stapling profile has new default value and acceptable range https://support.f5.com/kb/en-us/solutions/public/16000/800/sol16810.html?sr=50661207
Nicolas_COLLETHi, I find an another post in devcentral to takl about that : https://devcentral.f5.com/questions/ocsp-stapling-37098 It's explain the same things. I update status age to 7 days and it's working after that. I open a support case and it's explain this : "we've find out that the issue could be related to the 'status age' parameter in the OCSP_Stapling_Thawte profile set be default to 1 day (86400 seconds). Mentioned errors found in the logs is produced when expired response is received from the OCSP responder. Our recommendation for the moment is to set it to 7 days and perform test again." And after : "I think that key thing is how status_age parameter is used. It's simply a mechanism by which the system can forcibly enforce a lifetime on responses, including those that omit the nextUpdate. In fact OCSP implementations in other systems allows to disable the status_age parameter (but it's not allowed on F5). Apache https://httpd.apache.org/docs/trunk/mod/mod_ssl.htmlsslstaplingresponsemaxage nginx http://hg.nginx.org/nginx/file/973fded4f461/src/event/ngx_event_openssl_stapling.cl625 According to following SOL article F5 now accepts new status age parameters: SOL16810: The Status Age parameter of the OCSP Stapling profile has new default value and acceptable range https://support.f5.com/kb/en-us/solutions/public/16000/800/sol16810.html?sr=50661207 I think that best way to approach right now is to try reproduce the issue while performing a packet capture (to capture client, VIP, DNS resolver and OCSP responder traffic) with debugging option enabled on the BigIP side. This would allow us to identify failing response. Afterwards please consider applying workaround and increase the OCSP status age (while capturing data) parameter to see if the issue is still there."
