DISA OCSP responder sometimes producing errors
Hi, not sure if there are others that have this issue, it seems sporadic. I’m using BigIP v13.1.1 OCSP will sometimes fail and users will fail to login, and it will fail for a random duration of time which makes me think it may be an issue with DISA's OCSP servers. It doesn't happen daily. I have a pretty standard APM setup. No HA, nothing weird. My VPE: Start -> On Demand Cert (request) -> OCSP (/Common/DISA_OCSP, cert type user) -> etc etc -> For my OCSP config I have default settings with the Certificate Authority file as the DOD CA bundle and Verify other is the DOD Email CA bundle. Everything is checked besides Ignore AIA and Trust Other. The error in /var/log/apm is: OCSP Auth agent: Failure status ‘Error querying OCSP responsder *(<-this is a typo in the error)* host (ocsp.disa.mil) path (/)’ Looking at my email cert, it looks like I have two different AIAs. One is a crl.disa.mil url pointing at my CA's DODEMAILCA cer file, the other is ocsp.disa.mil. Can anyone recommend a more stable way to configure this?
OCSP and Comodo cert
Hi all, I was wondering if somebody ran into the same issue with OCSP and Comodo issued certs. Since last week we're getting "OCSP Check Failed" messages for Comodo issued certificates. We did some tcpdumps to figure out what's going on and it seems that Comodo OCSP URL requires a host header. This was the HTTP response to our OCSP request: Invalid URL The requested URL "[no URL]", is invalid. Reference 9.7ce58db.1529652000.5b7f63b A manually performed check confirmed the issue (we're on 12.1.2-HF2): openssl ocsp -issuer comodo-chain-bundle.crt -cert web-certificate.crt -text -url http://ocsp.comodoca.com -no_nonce -verify_other comodo-chain-bundle.crt OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: xxxx Issuer Key Hash: yyyy Serial Number: zzzz Error querying OCSP responder 47881717408264:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:247:Code=400,Reason=Bad Request By adding a host header to the openssl command we were able to get a successful response: openssl ocsp -issuer comodo-chain-bundle.crt -cert web-certificate.crt -text -url http://ocsp.comodoca.com -no_nonce -verify_other comodo-chain-bundle.crt -header "Host" "ocsp.comodoca.com" OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: xxxx Issuer Key Hash: yyyy Serial Number: zzzz OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Produced At: Jun 20 08:45:26 2018 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: xxxx Issuer Key Hash: yyyy Serial Number: zzzz Cert Status: good This Update: Jun 20 08:45:26 2018 GMT Next Update: Jun 27 08:45:26 2018 GMT Signature Algorithm: sha256WithRSAEncryption ---snippp--- Response verify OK web-certificate.crt: good This Update: Jun 20 08:45:26 2018 GMT Next Update: Jun 27 08:45:26 2018 GMT The "web-certificate.crt" is issued by Issuer: COMODO RSA Domain Validation Secure Server CA, COMODO CA Limited Write review of Comodo Our "comodo-chain-bundle.crt" contains Common Name: COMODO RSA Domain Validation Secure Server CA Issuer: COMODO RSA Certification Authority, COMODO CA Limited Write review of Comodo Common Name: COMODO RSA Certification Authority Issuer: COMODO RSA Certification Authority, COMODO CA Limited Our implemented OCSP check doesn't send a host header and we have no issue with certificates issued by other CAs. Does anybody know a workaround? Can we savely add a host header to our OCSP check without affecting the checks of other certificates? Any hint is much appreciated. cheers
OCSP health monitor
Hey Guys, Sort of in a time crunch. I am looking for a way to create a health monitor the would monitor OCSP request instead of http/https. I've seen/read somewhere on the forums that is could be by an external script ? but not sure how that would be done. I have a pool of OCSP validators which work for http health monitor but that's not what our sec team is looking to get monitored. Any help is appreciated. Thanks
Enabling OCSP stapling via f5-sdk fails
I want to enable OCSP stapling for a lot of clientSSL profiles, so I thought if'd use the f5-sdk python library. However, my tests so far fail miserably, even without trying to change the actual setting. Here's what I tested: #! /usr/bin/env python3 from f5.bigip import ManagementRoot mgmt = ManagementRoot("hostname", "username", "password") profile = mgmt.tm.ltm.profile.client_ssls.client_ssl.load(partition="Common", name="myprofile") print(profile.ocspStapling) profile.update() This print the current ocpStapling value ('disabled'), but updating the unchanged profile fails: $ python3 ocsp-test2.py disabled Traceback (most recent call last): File "ocsp-test2.py", line 15, in <module> profile.update() File "/Users/teun/Library/Python/3.7/lib/python/site-packages/f5/bigip/resource.py", line 617, in update self._update(**kwargs) File "/Users/teun/Library/Python/3.7/lib/python/site-packages/f5/bigip/resource.py", line 580, in _update response = session.put(update_uri, json=data_dict, **requests_params) File "/Users/teun/Library/Python/3.7/lib/python/site-packages/icontrol/session.py", line 295, in wrapper raise iControlUnexpectedHTTPError(error_message, response=response) icontrol.exceptions.iControlUnexpectedHTTPError: 400 Unexpected Error: Bad Request for uri: https://hostname:443/mgmt/tm/ltm/profile/client-ssl/~Common~myprofile/ Text: '{"code":400,"message":"\\"{ dont-insert-empty-fragments no-tlsv1.1 single-dh-use no-sslv3 no-tlsv1 }\\" unexpected argument","errorStack":[],"apiError":26214401}' I didn't change any settings of the profile, so why would it fail to update? As a test, I removed these SSL options., but that doesn't help either. The error message changes of course, but updating an unchanged profile still fails: icontrol.exceptions.iControlUnexpected HTTPError: 400 Unexpected Error: Bad Request for uri: https://hostname:443/mgmt/tm/ltm/profile/client-ssl/~Common~myprofile/ Text: '{"code":400,"message":"01b4002a:3: Client SSL profile (/Common/myprofile):cert-key-chain and profile cert/key/chain/passphrase options cannot be specified together.","errorStack":[],"apiError":3}' I really fail to see what's wrong here and what I need to do to get this to work. Any other suggestions on configuring OCSP stapling via python are welcome too.
Dynamic OCSP and CRLDP check for SSL Client Authentication
Dear, I have a use case where a virtual server is configured with a client ssl profile and client authentication is enabled. The client certificates can be signed by any CA in a bundle that is assigned to the profile as well. We want to enable the revocation status check based on the information of the certificate, it can be either CRLDP or OCSP. There are some configuration objects in "Local Traffic >> Profiles >> Authentication" but these profiles need static URLs for the CRLDP and OCSP. I also read that this is based on the ACA module that has been deprecated. So I would assume that the only solution would be the APM module, but I would like to get a clear answer if possible. Thanks a lot. Abdessamad
