Forum Discussion

jakru_162096's avatar
jakru_162096
Icon for Nimbostratus rankNimbostratus
Nov 16, 2018

VS CRLDP check fails

Hello,

i'm in the middle of implementing crldp and my f5 fails to actually check them.

I managed to find that tamd process is responsible for logging crldp events and in /var/log/ltm i can find:

Nov 16 11:19:31 mutual warning tamd[5637]: 010b0904:4: crl ldap_simple_bind failure: ?
Nov 16 11:19:31 mutual warning tamd[5637]: 010b0903:4: no crl found for ldap:///CN=lab-ca(1),CN=DC01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xxx,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint
Nov 16 11:19:31 mutual warning tamd[5637]: 010b0905:4: crldap: url is not ldap!
Nov 16 11:19:31 mutual warning tamd[5637]: 010b0903:4: no crl found for http://xxx/CertEnroll/lab-ca(1).crl
Nov 16 11:19:31 mutual warning tamd[5637]: 010b0905:4: crldap: url is not ldap!
Nov 16 11:19:31 mutual warning tamd[5637]: 010b0903:4: no crl found for file:////xxx/lab-ca(1).crl
Nov 16 11:19:31 mutual warning tamd[5637]: 010b0905:4: crldap: url is not ldap!
Nov 16 11:19:31 mutual warning tamd[5637]: 010b0903:4: no crl found for http://crl.pki.goog/GTSGIAG3.crl
Nov 16 11:19:31 mutual warning tamd[5637]: 010b0232:4: pam_authenticate: 6
Nov 16 11:19:31 mutual warning tamd[5637]: 010b0235:4: AUTH: Permission denied
Nov 16 11:19:31 mutual warning tmm[28819]: 01260013:4: SSL Handshake failed for TCP 10.138.1.100:55071 -> 10.138.1.207:443

and that leads me to idea my F5 can't reach those crls or paths in certificates are wrong. However, the same device is able to reach those crls using curl (at least those available using http). Locations for crls are obtained from client certificate. I failed to change the behaviour to actullay use defined object for crls location.

Also, when i got desperate, i added that last crl, google crls, that is 100% valid and accessible from internet for everyone. I do not care if my client fails crls check as long as f5 gets to that point. For now it can't. Any idea why it works like this? I used this guide to configure crldp on F5: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-12-1-0/33.html

application delivery
BIG-IP
LTM
security
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 18, 2018

    Jakru,

     

    You're using CRLDP in LTM, which only supports LDAP URLs, and the one LDAP URL you have is invalid. You need APM to access CRLs via HTTP.