Forum Discussion
0_11329
Nimbostratus
NimbostratusValid certificate is identified as revoked by "OCSP Authentication error redirect" IRule
Hi,
As part of the implementation of a PKI, I try to use the "OCSP Authentication error redirect" IRule in a BigIP 1500 LTM (version 9.3.1) intended to redirect the Client browser t...
hoolio
Cirrostratus
CirrostratusThere is a bug where AUTH::status returns the same status code (1) for an unreachable OCSP server as a revoked cert. It's possible this was the cause of the reported symptoms.
This is noted in CR126501:
CR126501 - enhancement to log server connect failure separately from cert revoked.
And a related CR:
CR126517 - enhance OCSP to log the information without iRule.
F5 Support suggested the following workaround:
Instead of pointing the OCSP responder object directly at the responder, I point it to another VIP (thanks to v9.4.7 I believe - we used to have to point to another BigIP). That VIP pools to the real responder, but also has access to intelligent load balancing, monitors, iRules, etc. This is still very basic, but in that iRule I do this:
=================
when RULE_INIT {
set :CSP_AVAIL 1
}
when HTTP_REQUEST {
if { [active_members ocsp_pool] < 1 } {
set :CSP_AVAIL 0
} else {
set :CSP_AVAIL 1
}
}
================
So I’m setting a global variable that other iRules can see:
================
when AUTH_RESULT {
if { $:CSP_AVAIL == 1 } {
...
} else {
log local0. "OCSP Offline"
}
}
================
You could perform your normal logic in your AUTH_RESULT event handler inside the code block for the "$:CSP_AVAIL==1" condition, and do whatever is needful in the else clause to note the absence of available OCSP responders.
Aaron
