Configuring OCSP Stapling on BIG-IP
When setting up an SSL connection the cert tells you its expiration, but how do you tell if the SSL Cert has been revoked? There are multiple ways to do this. The first is the Certificate Revocation List (CRL). When the client requests the CRL, the cert provider will send a list of revoked certificates. The problem is that over time this list becomes very large as certs are added. Case in point, heartbleed casued a spike in the number of certs added to CRL list.
To get around these large lists when all the client is looking for is one cert is the Online Certificate Status Protocol (OCSP.) This allows the client to query the CA for the validity of the cert in question. There are still problems, for example there can be a large number of clients that query the OCSP responder. If the OCSP responder takes too long and times out, then most clients will ignore the problem and move on.
With OCSP stapling the client can ask the server to staple the OCSP response with the SSL server certificate response from the server. This allows the server to deal with the OCSP message and not require the client to query the OCSP responder. Doing this offloads the process from the OCSP server to the server, spreading the load around, making it quicker in most cases and limiting OCSP timeout. Once the server gets the OCSP response it can cache the response for the valid period, so one request to the OCSP server will serve many responses to the client.
Requirements for OCSP Stapling on BIG-IP
- The OSCP responder for the cert in question. In this case startSSL.com allows you to generate a real cert for the test. The OSCP responder is http://ocsp.startssl.com
- You need to make sure the cert has the full chain for the client and f5 to trust
- Test both the responder and the chain with the following openssl command
To test the SSL chain run the following command:
openssl verify -CAfile \:Common\: \:Common\:"cert in question"
The output should be like the following
:Common:"cert in Question": OK
Now test OCSP response from openssl
openssl ocsp -issuer \:Common\: -cert \:Common\: -text -header "HOST" "host name of ocsp" -url http:/// -CAfile \:Common\:
You should get an output like below:
OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = IL, O = StartCom Ltd., OU = StartCom Certification Authority, CN = StartCom Class 1 DV Server CA OCSP Responder Produced At: Jan 14 18:19:02 2016 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 5168159AB1999B3A55E860C022C9D519E0303D29 Issuer Key Hash: D7914E01C4B0BFF8C86793449CE733FAAD930CAF Serial Number: 346F8F9596F4A3AEB2B0C3AE693B5A7F Cert Status: good This Update: Jan 14 18:19:02 2016 GMT Next Update: Jan 18 18:29:02 2016 GMT
Once you have tested and know the cert and CA are correct you can connect to the correct OCSP responder now it time to setup the f5.
BIG-IP Configuration Steps
First we need to Create the DNS resolver this is located in Network -> DNS Resolvers. The defaults are fine here you just need to add a name
Next you will need to create a forward zone. For the name put . and enter the DNS server that the unit should use.
Now we can create the OCSP Stapling profile.
- For the DNS Resolver put the one in that you setup in the steps above
- For the Trusted Certificate Authorities this is the CA file you test with earlier
- Responder URL us the URL from earler that the f5 will direct all OCSP requests to.
- By default Sign Hash is set to SHA256 there responders that will not work with this and it will need to be set to SHA1
- Timeout is the amount of time till the f5 drop the connection to the OCSP server. This has to be smaller them the Handshake timeout in the SSL Profile.
- Status Age is the age of the from this update, most servers will have a range that this update is good for.
- By default the f5 1 day make sure you check your server to make sure the Status Age is large enough to handle this
- Cache Timeout this is how long the f5 will cache the response, default is Indefinite this allows the f5 to cache the request for the length of the validity period the server sets
Next step is to create the SSL profile and add the Stapling Profile
Now after the ClientSSL profile is add to the VIP you are ready to test.
Testing it out
If your site is open to the Internet you can use tools like Qualys SSL Labs, or you can test with OpenSSL with the following command:
certificate_d # openssl s_client -connect VIP IP:443 -tls1 -tlsextdebug -status | grep -i "ocsp response" -B 5 -A 10
The output from a successful OCSP stapling
OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = IL, O = StartCom Ltd., OU = StartCom Certification Authority, CN = StartCom Class 1 DV Server CA OCSP Responder Produced At: Jan 14 18:19:02 2016 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 5168159AB1999B3A55E860C022C9D519E0303D29 Issuer Key Hash: D7914E01C4B0BFF8C86793449CE733FAAD930CAF Serial Number: 346F8F9596F4A3AEB2B0C3AE693B5A7F Cert Status: good
Much thanks to Richard Harlan, one of F5's fine field systems engineer for contributing this write up!