Forum Discussion

action_-'s avatar
action_-
Icon for Altostratus rankAltostratus
Oct 12, 2018

DISA OCSP responder sometimes producing errors

Hi, not sure if there are others that have this issue, it seems sporadic.

I’m using BigIP v13.1.1

OCSP will sometimes fail and users will fail to login, and it will fail for a random duration of time which makes me think it may be an issue with DISA's OCSP servers. It doesn't happen daily.

I have a pretty standard APM setup. No HA, nothing weird.

My VPE:

Start -> On Demand Cert (request) -> OCSP (/Common/DISA_OCSP, cert type user) -> etc etc ->

For my OCSP config I have default settings with the Certificate Authority file as the DOD CA bundle and Verify other is the DOD Email CA bundle. Everything is checked besides Ignore AIA and Trust Other.

The error in /var/log/apm is:

OCSP Auth agent: Failure status ‘Error querying OCSP responsder *(<-this is a typo in the error)* host (ocsp.disa.mil) path (/)’

Looking at my email cert, it looks like I have two different AIAs. One is a crl.disa.mil url pointing at my CA's DODEMAILCA cer file, the other is ocsp.disa.mil.

Can anyone recommend a more stable way to configure this?

APM
application delivery
certificate
certificate auth
disa
dod pki
ocsp
security

1 Reply

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 12, 2018

    It would be possible theoretically to define a response timeout value for OCSP requests, such that it "failed open" if the request couldn't succeed. But honestly, this particular problem has existed for as long as I can remember, and the very best recommendation would probably be to stand up your own local responder that pulls CRLs from DISA. If you have a Microsoft site license, then you already have a free OCSP responder that works as good as the other dedicate OCSP vendors. The beauty here is that you can configure the local responder to extend revocation status beyond the CRL end-date in case CRL stops working too.