07-Dec-2020 11:04
Hi guys, I just wanted to know if anyone of you here had already setup an ocsp responder? We have this setup but not really sure if I am doing it correctly.
So the setup goes like this.
Our AD team had setup an OCSP responder server. From my end I have configured a virtual server from where the pool are the ocsp responder servers.
Then I created an ocsp profile with a url address http:\\abc.com.sg.
I am doubting why http and not https, however this is what our AD team provided as what they said they have limitation using https.
This OCSP profile I then applied to one of the public facing https url through the virtual server profile.
The objective is whenever we launch the url from internet, the LTM should perform OCSP authentication by querying with the OCSP servers.
To test is I simple perform openssl and check if there is ocsp response sent.
Anyone have experience this, am I missing something here?
Solved! Go to Solution.
09-Dec-2020 07:24
Hi Lidev, thanks for responding...This is actually how I configured but I am not too sure if this is correct, however from the packet capture now I can see ocsp request and ocsp response already, I see we are hitting the remote ocsp. We don't want to use stapling but rather remote ocsp authentication but I am not too sure if I should enable the client authentication.
Would you be able to advise below if all are correct or if anything i missed?
Test result:
From the dump:
I see ocsp request and ocsp response and the status of ocsp response is "unaothorized".
From this point I can tell something wrong with the remote ocsp, however I want to know if my configuration are all correct.
Please, kindly advise. Thanks a lot.
08-Dec-2020
00:26
- last edited on
04-Jun-2023
21:09
by
JimmyPackets
Hi f5mkuDefault,
Your configuration seems to be fine and you can use either HTTP or HTTPs to request your OSCP Responder Server without any problem.
To validate the correct functionality of the OCSP Responder, check OCSP Reponse Status (successful (0x0) and if the Next Update extension is present in your OpenSSL command output.
You can aslo check the OCSP statistics on your F5 BIG-IP :
show sys crypto cert-validator ocsp <profile_name>
Regards
09-Dec-2020 02:23
hi Lidev, actually it is not working. even the show crypto does not work, so I am not sure if I missed something.
Is there some configuration I need to do on the SSL Profile?
09-Dec-2020 03:59
Yes, you need to do some modifications in SSL Client profile.
Please refer below theses links to get informations :
Regards
09-Dec-2020 07:24
Hi Lidev, thanks for responding...This is actually how I configured but I am not too sure if this is correct, however from the packet capture now I can see ocsp request and ocsp response already, I see we are hitting the remote ocsp. We don't want to use stapling but rather remote ocsp authentication but I am not too sure if I should enable the client authentication.
Would you be able to advise below if all are correct or if anything i missed?
Test result:
From the dump:
I see ocsp request and ocsp response and the status of ocsp response is "unaothorized".
From this point I can tell something wrong with the remote ocsp, however I want to know if my configuration are all correct.
Please, kindly advise. Thanks a lot.
09-Dec-2020 09:29
Difficult to say without having the configuration files of the BIP-IP but in general it looks OK.
Moreover, if now you see ocsp request/response it's a good sign.
It actually looks like you have problem with the remote ocsp server.
Regards
10-Dec-2020 08:53
We were able to find the root cause and it was due to the "Nonse" which is enabled by default and according to microsoft "Nonse" is disabled by default in MS.
But still I cannot find a document from F5 where it says that for remote ocsp authentication I need to enable client authentication under ssl client profile.
Enabling client authentication is for 2 way ssl.
Anyway, Thanks a lot Lidev for helping out.
14-Dec-2020 04:35
You're welcome 🙂 glad to see that you have identified the issue.
Please don't forget to mark your answer as "Select as Best" in order to pass your post as resolved and help other people to find it.
15-Dec-2020 22:17
In addition to above, client\user machine must install the client certificate too under personal folder of their browser. Then whatever certificate you apply under the SSL profile > Client authentication, that certificate should be able to identify the client certificate sent by the client\user machine. Else it will fail and you get error page.