OCSP AUTH AGENT
Hello everyone, I'm facing a situation and I need your input to figure it out what's wrong. I have a VIP where mtls is configured in the client SSL profile with the issuer's certificate as CA (we call it CA_1), and it works well. (Per info, the client cert is issued by CA_1, which is also issued and signed by a higher authority CA_2.) I wanted to make OCSP checks for client certificates so I created a simple APM policy as follows : Client --- > on-demand cert agent ---> OCSP Auth Agent ---> Allow or deny The OCSP responder is configured with the same CA_1 that's configured in the in the Client authentication in the ssl profile, and a responder (ocsp.example.com). The error I'm facing is OCSP Auth agent: Failure status 'Error querying OCSP responder host ocsp.example.com. To troubleshoot, I did few tests and we can eliminate the following possibilities: Connectivity and DNS: I can reach the responder in the http port using the FQDN. Blocked traffic : no Firewall inspection between the BIG IP and the responder. The responder is not treating the request as it should: openssl ocsp verification works fine and gets me the wanted result from the ocsp responder. The famous "missing host header" : the header is well included in the request sent by the big ip to the responder; moreover, i compared this request to the one sent when using openssl ocsp and the one sent when i test from my own computer using openssl, and they are identical when it comes to the OCSP date in the request and response frames. What's more interesting is when I capture the response sent by the responder when the apm sends the ocsp verification request, i can clearly see that's stating the status of the certificate (which is revoked in my case), but the APM logs doesn't show that; instead, when debugging, it says that the on-demand cert agent is executed (i can see the client cert and the issuer cert CA_1 as well) and then it moves successfully to the OCSP auth agent and then directly it says the querying error. Could you please tell me if you see anything i could do to troubleshoot more ? Any ideas ? PS 1 : I tried also using the CA_2, a bundle of CA_1 and CA_2, a cert chain of both, but no luck ! PS 2 : when i use the CRLDP agent, i can see the status (revoked) in the APM logs. Thank you in advance !
APM OCSP Responder Issues
I have: in apm: configured the OCSP responder under Access > Auth > OCSP Responders ocspfqdn.com/ocsp added it to the APM policy. I have a health monitor to the OCSP responder that is good (tcp) But its not working. tcpdump shows: 09:12:43.591044 IP F5SELFIP.58606 > OCSPserver1.com: Flags [P.], seq 1:192, ack 1, win 229, length 191: HTTP: POST /ocsp HTTP/1.0 out slot1/tmm0 lis= 09:12:43.602954 IP OCSPserver1.com > F5SELFIP.58606: Flags [FP.], seq 1:462, ack 192, win 1027, length 461: HTTP: HTTP/1.1 404 Not Found in slot1/tmm0 lis= I'm not quite sure what else I can do here. I will note that I implemented this: https://my.f5.com/manage/s/article/K12552109 and it didn't work, but all i did was put the OCSP ip behind a simply virtual server, and then add the irule. I dont know if extra configurations were needed.
APM OCSP check via corporate proxy
Hi, I am checking the revocation status of client certificates in APM using OCSP Auth Agent. I have a AAA Server -> OCSP Responder configured with . I have a host entry and static route configured, our corporate L4 firewall facing the internet is allowing this connection towards OCSP IP address. This works fine until the IP of the OCSP server suddenly changes. Then the OCSP check does not work anymore and I need to update the host entry, routing entry and firewall rule with the new destination IP address. This is an ugly solution and I was thinking I can let APM contacting the OCSP via the system proxy. Just the same way as, for example, I am using the system proxy to update ASM signatures with the system proxy. In order to test it, I did the necessary config of the /sys db proxy.* values (as we are on 12.1.2). I am pretty sure the config is correct. I removed the host entry and routing entry. But I can see that the APM still tries to avoid the proxy and send the OCSP HTTP requests directly. And of course this is failing now as there is no host and route entry in place. Why is the system proxy not being used by APM to route the OCSP requests out to the internet? And how can I achieve this to work? Proxy is really my only option for a robust solution because our corporate firewalls are L4 only, and the OCSP IP address is changing quite frequently. I saw this post from Kevin: https://devcentral.f5.com/articles/ocsp-through-an-outbound-explicit-proxy-29026, from which I understood that it indeed is not possible to use system proxy for OCSP calls. But why is that? Isn't it strange to have a system proxy available but not being able to use it for such obvious action? And where could I find the iRule Kevin was referring to at the beginning of the article ("simple VIP and iRule that "proxifies" an outbound OCSP HTTP request")? I couldn't find this previous article he was referring to. Thanks, Martin
