Script for External Monitor to check server OCSP Stapling Status

Problem this snippet solves:

Many BIG-IPs do not have DNS configured to ensure that traffic can continue flowing even during a DNS hiccup (you know they happen). But this lack of DNS makes name-based checking like OCSP stapling difficult. BIG-IP therefore doesn't try to check the OCSP Stapling status of the servers in a pool it is bridging SSL traffic to.

One solution to this problem is to use a BIG-IP External Monitor to check the revocation status of servers in a server pool.

How to use this snippet:

Save this snippet to a file on your desktop.

From the BIG-IP GUI, choose the System panel on the left. Then choose File Management. Then choose External Program File List. Upload the file that you saved to the desktop, and give it an appropriate name such as MyOCSPmonitor.

From the GUI, select Local Traffic and then Monitors. Create a new monitor with type External.

Ensure that the External Program field is set to the OCSP monitor object you just created (MyOCSPmonitor).

Because OCSP status is not something that is likely to change often, use long intervals (on the order of minutes rather than seconds) and timeouts.

Note that you can use 'revoked.grc.com:443' for testing :) If you don't have DNS configured on the BIG-IP,use the IP address of revoked.grc.com instead of the hostname.

Code :

#!/bin/sh
#
# OCSP stapling status monitor

#
# these arguments supplied automatically for all external pingers:
# $1 = IP (::ffff:nnn.nnn.nnn.nnn notation or hostname)
# $2 = port (decimal, host byte order)
# $3 and higher = additional arguments
# 
# $MONITOR_NAME = name of the monitor
# 
# In this sample script, $3 is the regular expression
#

# Name of the pidfile
pidfile="/var/run/$MONITOR_NAME.$1..$2.pid"

# Send signal to the process group to kill our former self and any children 
# as external monitors are run with SIGHUP blocked
if [ -f $pidfile ]
then
   kill -9 -`cat $pidfile` > /dev/null 2>&1
fi

echo "$$" > $pidfile

# Remove the IPv6/IPv4 compatibility prefix 
node_ip=`echo $1 | sed 's/::ffff://'`

# =================================================================
# OCSP Stapling
#
# it's better to check for 'Revoked' and use that as a trigger for
# down rather than looking for success. There's ton of other
# reasons that a node might be unavailable to report its status
# (down for maintenance, network # hiccoughs, etc).
#
# Note that you can use 'revoked.grc.com:443' for testing :)
#
# Use the on-box openssl utility to query ocspstatus
# =================================================================

cnt=`echo -e "GET /" | openssl s_client -status -connect ${node_ip}:$2 2> /dev/null | grep -A20 ^OCSP.Response.Data: | grep -c "Cert Status: revoked"`

if [ $cnt -eq 0 ]
then
# Remove the pidfile before the script echoes anything to stdout and is killed by bigd      
    rm -f $pidfile
    echo "up"
fi

# Remove the pidfile before the script ends
rm -f $pidfile