Configuring OCSP Stapling on BIG-IP
When setting up an SSL connection the cert tells you its expiration, but how do you tell if the SSL Cert has been revoked? There are multiple ways to do this. The first is the Certificate Revocation List (CRL). When the client requests the CRL, the cert provider will send a list of revoked certificates. The problem is that over time this list becomes very large as certs are added. Case in point, heartbleed casued a spike in the number of certs added to CRL list. To get around these large lists when all the client is looking for is one cert is the Online Certificate Status Protocol (OCSP.) This allows the client to query the CA for the validity of the cert in question. There are still problems, for example there can be a large number of clients that query the OCSP responder. If the OCSP responder takes too long and times out, then most clients will ignore the problem and move on. With OCSP stapling the client can ask the server to staple the OCSP response with the SSL server certificate response from the server. This allows the server to deal with the OCSP message and not require the client to query the OCSP responder. Doing this offloads the process from the OCSP server to the server, spreading the load around, making it quicker in most cases and limiting OCSP timeout. Once the server gets the OCSP response it can cache the response for the valid period, so one request to the OCSP server will serve many responses to the client. Requirements for OCSP Stapling on BIG-IP The OSCP responder for the cert in question.In this case startSSL.com allows you to generate a real cert for the test. The OSCP responder is http://ocsp.startssl.com You need to make sure the cert has the full chain for the client and f5 to trust Test both the responder and the chain with the following openssl command To test the SSL chain run the following command: openssl verify -CAfile \:Common\: \:Common\:"cert in question" The output should be like the following :Common:"cert in Question": OK Now test OCSP response from openssl openssl ocsp -issuer \:Common\: -cert \:Common\: -text -header "HOST" "host name of ocsp" -url http:/// -CAfile \:Common\: You should get an output like below: OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = IL, O = StartCom Ltd., OU = StartCom Certification Authority, CN = StartCom Class 1 DV Server CA OCSP Responder Produced At: Jan 14 18:19:02 2016 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 5168159AB1999B3A55E860C022C9D519E0303D29 Issuer Key Hash: D7914E01C4B0BFF8C86793449CE733FAAD930CAF Serial Number: 346F8F9596F4A3AEB2B0C3AE693B5A7F Cert Status: good This Update: Jan 14 18:19:02 2016 GMT Next Update: Jan 18 18:29:02 2016 GMT Once you have tested and know the cert and CA are correct you can connect to the correct OCSP responder now it time to setup the f5. BIG-IP Configuration Steps First we need to Create the DNS resolver this is located in Network -> DNS Resolvers. The defaults are fine here you just need to add a name Next you will need to create a forward zone.For the name put . and enter the DNS server that the unit should use. Now we can create the OCSP Stapling profile. For the DNS Resolver put the one in that you setup in the steps above For the Trusted Certificate Authorities this is the CA file you test with earlier Responder URL us the URL from earler that the f5 will direct all OCSP requests to. By default Sign Hash is set to SHA256 there responders that will not work with this and it will need to be set to SHA1 Timeout is the amount of time till the f5 drop the connection to the OCSP server. This has to be smaller them the Handshake timeout in the SSL Profile. Status Age is the age of the from this update, most servers will have a range that this update is good for. By default the f5 1 day make sure you check your server to make sure the Status Age is large enough to handle this Cache Timeout this is how long the f5 will cache the response, default is Indefinite this allows the f5 to cachethe request for the length of the validity period the server sets Next step is to create the SSL profile and add the Stapling Profile Now after the ClientSSL profile is add to the VIP you are ready to test. Testing it out If your site is open to the Internet you can use tools like Qualys SSL Labs, or you can test with OpenSSL with the following command: certificate_d # openssl s_client -connect VIP IP:443 -tls1 -tlsextdebug -status | grep -i "ocsp response" -B 5 -A 10 The output from a successful OCSP stapling OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = IL, O = StartCom Ltd., OU = StartCom Certification Authority, CN = StartCom Class 1 DV Server CA OCSP Responder Produced At: Jan 14 18:19:02 2016 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 5168159AB1999B3A55E860C022C9D519E0303D29 Issuer Key Hash: D7914E01C4B0BFF8C86793449CE733FAAD930CAF Serial Number: 346F8F9596F4A3AEB2B0C3AE693B5A7F Cert Status: good Much thanks to Richard Harlan, one of F5's fine field systems engineer for contributing this write up!
Client Authentication - Address of the OCSP responder using AIA extension (LTM only)
Hello folks, With regards to PSD2 Directive we would like to provide TPP (third-party payment service provider) authentication in LTM (without APM) via OCSP. Certificates need to be validated against different OCSP responders, based on the X509 AIA extension. "Authority Information Access". The idea is the following: BIG-IP to authenticate the client (SSL) and to check the client’s certificate revocation status via OCSP + to send X-Client-Certificate to the back-end for further processing (already done via iRule). I have found that there is out of the box irule "_sys_auth_ssl_ocsp", but not sure what is its point exactly and if this irule is trying to reach the OCSP responders using the AIA? Also there are some cases/articles in devcentral which points out that if we leave the URL in the OCSP Responders Configuration under Local Traffic ›› Profiles : Authentication : OCSP Responders ›› New OCSP Responder... - the BIG-IP will use the AIA to contact the OCSP Responders. To get things more complicated .. we need to go to OCSP responders via explicit outbound proxy. Will appreciate any kind of advise and help. Thank you!
