Dynamic CRL Check with Client SSL Profile - How to notify the user?
Hi, we have implemented dynamic CRL checking with client SSL profile in our test environment with BIG-IP 15.1. And it works. If a test user tries to establish a SSL session to a VIP with dynamic CRL checking enabled and the user's cert is revoked, the BIG-IP resets the connection. We are looking for a wayto direct the user's browser to an error page so that the user would be notified that the application can't be accessed because the cert is revoked. Obviously, SSL session is (or not) established before any traffic can be sent over HTTP. We can verify CRL check result with "SSL::verify_result" in an iRule (for example), but the session is reset before an HTTP redirect can be sent. We are aware that this can be done with LTM + APM, however for this use case the APM is not available. This was, for example, possible in the "old days" on Cisco ACE with: parameter-map type sslMap_Name authentication-failure redirect cert-revoked url URL_Address Any ideas & help on how to notify the user that the cert has been revoked greatly appreciated. Thanks!Solved93Views0likes2CommentsSupport dynamic CRL check for clientSSL profile (BIG-IP 15.1)
Hi, Did anyone tested (dynamic) CRL validator object for client SSL profile? (BIG-IP v15.1): It should work in v 15.1 (fixed bug 743758 - https://cdn.f5.com/product/bugtracker/ID743758.html ) I'm getting following errors for all client certificates: err tmm1[21207]: 01a40008:3: Unable to build certificate trust chain for profile /clientssl_profile tmm1[21207]: 01260009:4: clientIP:62042 -> VIP:443: Connection error: ssl_hs_do_crl_validation:6014: alert(46) unknown certificate error With CRL File it works ok, but file does not automatically fetch, check, and cache CRL files… Kr, EPX2.6KViews1like3CommentsDynamic OCSP and CRLDP check for SSL Client Authentication
Dear, I have a use case where a virtual server is configured with a client ssl profile and client authentication is enabled. The client certificates can be signed by any CA in a bundle that is assigned to the profile as well. We want to enable the revocation status check based on the information of the certificate, it can be either CRLDP or OCSP. There are some configuration objects in "Local Traffic >> Profiles >> Authentication" but these profiles need static URLs for the CRLDP and OCSP. I also read that this is based on the ACA module that has been deprecated. So I would assume that the only solution would be the APM module, but I would like to get a clear answer if possible. Thanks a lot. Abdessamad515Views0likes1CommentDynamic OCSP and CRLDP check for SSL Client Authentication
Dear, I have a use case where a virtual server is configured with a client ssl profile and client authentication is enabled. The client certificates can be signed by any CA in a bundle that is assigned to the profile as well. We want to enable the revocation status check based on the information of the certificate, it can be either CRLDP or OCSP. There are some configuration objects in "Local Traffic >> Profiles >> Authentication" but these profiles need static URLs for the CRLDP and OCSP. I also read that this is based on the ACA module that has been deprecated. So I would assume that the only solution would be the APM module, but I would like to get a clear answer if possible. Thanks a lot. Abdessamad366Views0likes0CommentsAPM CRLDP Response
Hey all. I am able to use CRLDP cert check in APM (v11.6HF6). OCSP is not an option as the ocsp x509 extension does not exist in all my certs and I do not want to keep a list of issuers to OCSP profiles). Going through the scenarios (cert revoked, HTTP CRL not available, etc.). I am supporting multiple CAs, getting the CDP URL from the x509 extension in the cert. However, when the HTTP CRL is not available, I get an enrty in the apm debug logs (See the connection attempt to the CDP location in a tcpdump (SYN,SYN,SYN, etc. / No SYN ACK as its not available). modules/Authentication/Crldp/CrldpAuthModule.cpp func: "setCrldpResponseStatus()" line: 796 Msg: Crldp Response Status: Bad HTTP response status and Following rule 'Successful' from item 'CRLDP Auth' I wouldn't think this would be successful. In addition, the result is not in an APM session variable that I could parse. A few observations/questions: 1. Is there a list of all the response codes that CRLDP returns so that I could parse and make my own decision? 2. The checkbox "Use Issuer" in the profile does the opposite of what it says. When not checked, it successfully pulls the CDP location from the cert. When checked, it doesn't. 3. Where can I see the cached CRL entries on the BigIP? Would be nice to be able to compare the entries to the result. 4. What is the "Allow NULL CRL" checkbox used for? In my testing it seems to do nothing. Thanks.345Views0likes3CommentsCRLDP Authentication : CRL lookup failed
Hi F5 community, I'm trying to use CRLDP Authentication on BigIP APM (12.0.0). This is for an ActivSync access with Certification credentials (Kerberos method). Everything works before adding CRLDP auth : Credentials are extracted from with client Certificat and used for Kerberos authentication. I have access to my emails. That part is great. As far as CRLDP concerned, I followed this configuration process : https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-0-0/16.print.html. To resum, I created the CRLDP AAA server and I associated to my access policy. And it's not working : reason 'No valid host found' CRL lookup failed for LDAP url. And I'm not surprised because I know that a user account is required to access my LDAP. Thing is I don't know how or where to configure it. Somebody's got a clue ? Cheers, Julien839Views0likes3CommentsOCSP responder profile with client cert set to "request", for multiple CAs;
Environment: LTM 11.5.2, APM available but i think N/A for this. Just a quick check of my understanding of something ... If an OCSP responder profile's URL field is empty, and "Ignore AIA" is not checked, then the URL from the AIA will be used to reach the OCSP service, correct? Can I assume this works cleanly of "request" is set in the client SSL profile - that is, if a user doesn't provide a client certificate, this won't err out? Finally, if a cert's AIA doesn't have an OCSP service, only an URL to a CRL ... how should that certificate be validated? If a CRLDP profile is also attached to the virtual server, will it recognize that situation and use the CRLDP profile instead? Or is there a recognized solution for handling such a mix of incoming client certificates? How about if there's no CRLDP, but only an URL to a CRL file? Can that situation be automagically handled? Thanks!294Views0likes2Comments