Valid certificate is identified as revoked by "OCSP Authentication error redirect" IRule

Question

Hi,       
&nbsp;       As part of the implementation of a PKI, I try to use the "OCSP Authentication error redirect" IRule in a BigIP 1500 LTM (version 9.3.1) intended to redirect the Client browser toward a specific web page in the case where the authentication failed (no Client certificate, expired certificates, revoked certificate, others)       
&nbsp;              
&nbsp;       I have installed the relevant CA in the BigIP.       
&nbsp;              
&nbsp;       And...       
&nbsp;               
&nbsp;       We meet an authentication problem that we do not explain : a valid certificate is identified by the IRule as revoked, what does not seem correspond to a normal functioning, according to me.       
&nbsp;              
&nbsp;       However, the "OCSP Authentication error redirect" IRule is classified as ***** 2nd Place Customer Winner ***** !!! So I tell myself that the rule must work properly...       
&nbsp;              
&nbsp;       Missed something ?       
&nbsp;       Will apreaciate your point of you &amp; experiences ;7) Thanks a lot in advance.  
&nbsp;              
&nbsp;              
&nbsp;              
&nbsp;       "OCSP Authentication error redirect" IRule       
&nbsp;       -----------------------------------------------------------------------------------       
&nbsp;       SSL::handshake resume       
&nbsp;       lset ssl_array 1 "auth_failure"       
&nbsp;       session add ssl $id $ssl_array 21600       
&nbsp;       }        
&nbsp;       }        
&nbsp;              
&nbsp;       when AUTH_WANTCREDENTIAL {       
&nbsp;       if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {       
&nbsp;       reject       
&nbsp;       log "[IP::client_addr] WANTCREDENTIAL"       
&nbsp;       }        
&nbsp;       }        
&nbsp;              
&nbsp;       when AUTH_ERROR {       
&nbsp;       if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {       
&nbsp;       lset ssl_array 1 "auth_failure"       
&nbsp;       session add ssl $id $ssl_array 21600       
&nbsp;       log "[IP::client_addr] AUTHERROR"       
&nbsp;       }        
&nbsp;       }       
&nbsp;              
&nbsp;       when HTTP_REQUEST {       
&nbsp;       set id [SSL::sessionid]       
&nbsp;       set ssl_array1 [session lookup ssl $id]       
&nbsp;       set ssl_data0 [lindex $ssl_array1 0]       
&nbsp;       set ssl_data1 [lindex $ssl_array1 1]       
&nbsp;       if { $ssl_data0 contains "expired" } {       
&nbsp;       set fail_payload_part1 ""       
&nbsp;       set fail_payload_part2 "You appear to have a certificate that has expired."       
&nbsp;       set fail_payload_part3 "If you feel you have received this message in error,"       
&nbsp;       set fail_payload_part4 "please contact the appropriate help center"       
&nbsp;       set fail_payload [concat $fail_payload_part1 $fail_payload_part2 $fail_payload_part3 $fail_payload_part4]       
&nbsp;       HTTP::respond 200 content $fail_payload       
&nbsp;       } elseif { $ssl_data1 contains "auth_failure" } {       
&nbsp;       set fail_payload_part1 ""       
&nbsp;       set fail_payload_part2 "You appear to have a certificate that has been revoked."       
&nbsp;       set fail_payload_part3 "If you feel you have received this message in error,"       
&nbsp;       set fail_payload_part4 "please contact the appropriate help center"       
&nbsp;       set fail_payload [concat $fail_payload_part1 $fail_payload_part2 $fail_payload_part3 $fail_payload_part4]       
&nbsp;       HTTP::respond 200 content $fail_payload       
&nbsp;       } elseif { $ssl_data0 contains "ok" } {       
&nbsp;       HTTP::header insert SSLCLientCertStatus $ssl_data1       
&nbsp;       } else {        
&nbsp;       set fail_payload_part1 ""       
&nbsp;       set fail_payload_part2 "It appears that you either do not have a valid DoD PKI certificate installed"       
&nbsp;       set fail_payload_part3 "and functioning in your browser or your session has timed-out. If you feel you have received"       
&nbsp;       set fail_payload_part4 "this message in error, please try connecting again or contact the appropriate help center"       
&nbsp;       set fail_payload [concat $fail_payload_part1 $fail_payload_part2 $fail_payload_part3 $fail_payload_part4]       
&nbsp;       HTTP::respond 200 content $fail_payload       
&nbsp;       }       
&nbsp;       }       
&nbsp;       -----------------------------------------------------------------------------------

justin_18188 · Answer

I have used this iRule successfully. I'm not sure I understand your question but do all certificates get rejected or just some? 
&nbsp;  
&nbsp; I'm actually looking for an iRule that is a little more custom. Even a redirect on OCSP verification failure to a page we built would be cool. Anyone have anything to suggest?

hoolio · Answer

There is a bug where AUTH::status returns the same status code (1) for an unreachable OCSP server as a revoked cert.  It's possible this was the cause of the reported symptoms.  
&nbsp;  
&nbsp; This is noted in CR126501:  
&nbsp;  
&nbsp; CR126501 - enhancement to log server connect failure separately from cert revoked.  
&nbsp;  
&nbsp; And a related CR:  
&nbsp;  
&nbsp; CR126517 - enhance OCSP to log the information without iRule.  
&nbsp; F5 Support suggested the following workaround:  
&nbsp;  
&nbsp;   
  
 Instead of pointing the OCSP responder object directly at the responder, I point it to another VIP (thanks to v9.4.7 I believe - we used to have to point to another BigIP). That VIP pools to the real responder, but also has access to intelligent load balancing, monitors, iRules, etc. This is still very basic, but in that iRule I do this: 
  
 ================= 
 when RULE_INIT { 
    set :CSP_AVAIL 1 
 } 
 when HTTP_REQUEST { 
    if { [active_members ocsp_pool] &lt; 1 } { 
       set :CSP_AVAIL 0 
    } else { 
       set :CSP_AVAIL 1 
    } 
 } 
 ================ 
  
 So I’m setting a global variable that other iRules can see: 
  
 ================ 
 when AUTH_RESULT { 
    if { $:CSP_AVAIL == 1 } { 
       ... 
    } else { 
       log local0. "OCSP Offline" 
    } 
 } 
 ================ 
  
 You could perform your normal logic in your AUTH_RESULT event handler inside the code block for the "$:CSP_AVAIL==1" condition, and do whatever is needful in the else clause to note the absence of available OCSP responders.

&nbsp;  
&nbsp; Aaron

kevin_stewart · Answer

You don't have to create the global variable. 
&nbsp;  
&nbsp; So you still create an OCSP responder VIP with pool and associated health monitors. Simply query the active_members count from anywhere else and take action accordingly if it's less than 1... 
&nbsp;  
&nbsp; Kevin

hoolio · Answer

That makes sense.  Thanks for the tip.  I guess you could even forget the VIP and just check the pool state from the OCSP iRule.  You'd need to configure the OCSP responders as usual instead of using an OCSP virtual server. 
&nbsp;  
&nbsp; Aaron

randy_abrams · Answer

In reference to: 
&nbsp; "Instead of pointing the OCSP responder object directly at the responder, I point it to another VIP (thanks to v9.4.7 ..." 
&nbsp;  
&nbsp; Exactly how is this done?  I can't seem to find any documentation.

Forum Discussion

Valid certificate is identified as revoked by "OCSP Authentication error redirect" IRule

Recent Discussions

F5 looses the token for the first call

feature request: container egress service

did not show checkbox on chrome while access through f5

How do I create a traffic log for two different route domains?

Flip-flop load balancing

Related Content

APM Clientless certificate authentication

BIG-IQ Client Certificate (PKI) Authentication

Automating ACMEv2 Certificate Management on BIG-IP

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Help F5 Transform the BIG-IP Administrator Certification

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS