OCSP AUTH AGENT
Hello everyone, I'm facing a situation and I need your input to figure it out what's wrong. I have a VIP where mtls is configured in the client SSL profile with the issuer's certificate as CA (we call it CA_1), and it works well. (Per info, the client cert is issued by CA_1, which is also issued and signed by a higher authority CA_2.) I wanted to make OCSP checks for client certificates so I created a simple APM policy as follows : Client --- > on-demand cert agent ---> OCSP Auth Agent ---> Allow or deny The OCSP responder is configured with the same CA_1 that's configured in the in the Client authentication in the ssl profile, and a responder (ocsp.example.com). The error I'm facing is OCSP Auth agent: Failure status 'Error querying OCSP responder host ocsp.example.com. To troubleshoot, I did few tests and we can eliminate the following possibilities: Connectivity and DNS: I can reach the responder in the http port using the FQDN. Blocked traffic : no Firewall inspection between the BIG IP and the responder. The responder is not treating the request as it should: openssl ocsp verification works fine and gets me the wanted result from the ocsp responder. The famous "missing host header" : the header is well included in the request sent by the big ip to the responder; moreover, i compared this request to the one sent when using openssl ocsp and the one sent when i test from my own computer using openssl, and they are identical when it comes to the OCSP date in the request and response frames. What's more interesting is when I capture the response sent by the responder when the apm sends the ocsp verification request, i can clearly see that's stating the status of the certificate (which is revoked in my case), but the APM logs doesn't show that; instead, when debugging, it says that the on-demand cert agent is executed (i can see the client cert and the issuer cert CA_1 as well) and then it moves successfully to the OCSP auth agent and then directly it says the querying error. Could you please tell me if you see anything i could do to troubleshoot more ? Any ideas ? PS 1 : I tried also using the CA_2, a bundle of CA_1 and CA_2, a cert chain of both, but no luck ! PS 2 : when i use the CRLDP agent, i can see the status (revoked) in the APM logs. Thank you in advance !
OCSP and Comodo cert
Hi all, I was wondering if somebody ran into the same issue with OCSP and Comodo issued certs. Since last week we're getting "OCSP Check Failed" messages for Comodo issued certificates. We did some tcpdumps to figure out what's going on and it seems that Comodo OCSP URL requires a host header. This was the HTTP response to our OCSP request: Invalid URL The requested URL "[no URL]", is invalid. Reference 9.7ce58db.1529652000.5b7f63b A manually performed check confirmed the issue (we're on 12.1.2-HF2): openssl ocsp -issuer comodo-chain-bundle.crt -cert web-certificate.crt -text -url http://ocsp.comodoca.com -no_nonce -verify_other comodo-chain-bundle.crt OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: xxxx Issuer Key Hash: yyyy Serial Number: zzzz Error querying OCSP responder 47881717408264:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:247:Code=400,Reason=Bad Request By adding a host header to the openssl command we were able to get a successful response: openssl ocsp -issuer comodo-chain-bundle.crt -cert web-certificate.crt -text -url http://ocsp.comodoca.com -no_nonce -verify_other comodo-chain-bundle.crt -header "Host" "ocsp.comodoca.com" OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: xxxx Issuer Key Hash: yyyy Serial Number: zzzz OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Produced At: Jun 20 08:45:26 2018 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: xxxx Issuer Key Hash: yyyy Serial Number: zzzz Cert Status: good This Update: Jun 20 08:45:26 2018 GMT Next Update: Jun 27 08:45:26 2018 GMT Signature Algorithm: sha256WithRSAEncryption ---snippp--- Response verify OK web-certificate.crt: good This Update: Jun 20 08:45:26 2018 GMT Next Update: Jun 27 08:45:26 2018 GMT The "web-certificate.crt" is issued by Issuer: COMODO RSA Domain Validation Secure Server CA, COMODO CA Limited Write review of Comodo Our "comodo-chain-bundle.crt" contains Common Name: COMODO RSA Domain Validation Secure Server CA Issuer: COMODO RSA Certification Authority, COMODO CA Limited Write review of Comodo Common Name: COMODO RSA Certification Authority Issuer: COMODO RSA Certification Authority, COMODO CA Limited Our implemented OCSP check doesn't send a host header and we have no issue with certificates issued by other CAs. Does anybody know a workaround? Can we savely add a host header to our OCSP check without affecting the checks of other certificates? Any hint is much appreciated. cheers
DISA OCSP responder sometimes producing errors
Hi, not sure if there are others that have this issue, it seems sporadic. I’m using BigIP v13.1.1 OCSP will sometimes fail and users will fail to login, and it will fail for a random duration of time which makes me think it may be an issue with DISA's OCSP servers. It doesn't happen daily. I have a pretty standard APM setup. No HA, nothing weird. My VPE: Start -> On Demand Cert (request) -> OCSP (/Common/DISA_OCSP, cert type user) -> etc etc -> For my OCSP config I have default settings with the Certificate Authority file as the DOD CA bundle and Verify other is the DOD Email CA bundle. Everything is checked besides Ignore AIA and Trust Other. The error in /var/log/apm is: OCSP Auth agent: Failure status ‘Error querying OCSP responsder *(<-this is a typo in the error)* host (ocsp.disa.mil) path (/)’ Looking at my email cert, it looks like I have two different AIAs. One is a crl.disa.mil url pointing at my CA's DODEMAILCA cer file, the other is ocsp.disa.mil. Can anyone recommend a more stable way to configure this?
OCSP check iRule issues
Hi, so, as i have quite some issues with OCSP/client cert checks using a auth profile with attached irule, i wanted to start from scratch. IF YOU CAN EVEN ONLY ANSWER ONE OF THE QUESTIONS, PLEASE DO SO! While starting with _sys_auth_ssl_ocsp, i noticed a few things: 1) We shouldnt have to do this, at least when we set set tmm_auth_subscription "*" in CLIENT_ACCEPTED, right? if {[info exists tmm_auth_subscription]} { AUTH::subscribe $tmm_auth_ssl_ocsp_sid } Though, can it be somehow possible that we get too much AUTH_RESULT events if we set it to "*"? 2) the AUTH_RESULT event will probably produce conn timeouts: when AUTH_RESULT { if {[info exists tmm_auth_ssl_ocsp_sid] and \ ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} { set tmm_auth_status [AUTH::status] if {$tmm_auth_status == 0} { set tmm_auth_ssl_ocsp_done 1 SSL::handshake resume } elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} { reject } } } If the first "if" statement is not true for whatever reason OR we get a tmm_auth_status of -1 (general OCSP error), the held ssl handshake will never finish and we will run into either the ocsp idle timeout or a tcp timeout; so wouldnt it be generally better to ALWAYS to the SSL::handshake resume and just do a "return" after the reject for that special case? Or is there any special reason we shouldnt resume the handshake here? 3) can someone please explain if {[info exists tmm_auth_ssl_ocsp_sid] and \ ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} { to me? AFAIK, last_event_session_id is the last processed auth event generally. In a high load scenario (and cause the AUTH is most likely multithreaded) it may happen that this is not true. Or is the AUTH_RESULT event called for ALL instances, and this if-statement just means that we want the correct instance to process it? Many thanks in advance, Rene
Enabling OCSP stapling via f5-sdk fails
I want to enable OCSP stapling for a lot of clientSSL profiles, so I thought if'd use the f5-sdk python library. However, my tests so far fail miserably, even without trying to change the actual setting. Here's what I tested: #! /usr/bin/env python3 from f5.bigip import ManagementRoot mgmt = ManagementRoot("hostname", "username", "password") profile = mgmt.tm.ltm.profile.client_ssls.client_ssl.load(partition="Common", name="myprofile") print(profile.ocspStapling) profile.update() This print the current ocpStapling value ('disabled'), but updating the unchanged profile fails: $ python3 ocsp-test2.py disabled Traceback (most recent call last): File "ocsp-test2.py", line 15, in <module> profile.update() File "/Users/teun/Library/Python/3.7/lib/python/site-packages/f5/bigip/resource.py", line 617, in update self._update(**kwargs) File "/Users/teun/Library/Python/3.7/lib/python/site-packages/f5/bigip/resource.py", line 580, in _update response = session.put(update_uri, json=data_dict, **requests_params) File "/Users/teun/Library/Python/3.7/lib/python/site-packages/icontrol/session.py", line 295, in wrapper raise iControlUnexpectedHTTPError(error_message, response=response) icontrol.exceptions.iControlUnexpectedHTTPError: 400 Unexpected Error: Bad Request for uri: https://hostname:443/mgmt/tm/ltm/profile/client-ssl/~Common~myprofile/ Text: '{"code":400,"message":"\\"{ dont-insert-empty-fragments no-tlsv1.1 single-dh-use no-sslv3 no-tlsv1 }\\" unexpected argument","errorStack":[],"apiError":26214401}' I didn't change any settings of the profile, so why would it fail to update? As a test, I removed these SSL options., but that doesn't help either. The error message changes of course, but updating an unchanged profile still fails: icontrol.exceptions.iControlUnexpected HTTPError: 400 Unexpected Error: Bad Request for uri: https://hostname:443/mgmt/tm/ltm/profile/client-ssl/~Common~myprofile/ Text: '{"code":400,"message":"01b4002a:3: Client SSL profile (/Common/myprofile):cert-key-chain and profile cert/key/chain/passphrase options cannot be specified together.","errorStack":[],"apiError":3}' I really fail to see what's wrong here and what I need to do to get this to work. Any other suggestions on configuring OCSP stapling via python are welcome too.
CRL & OCSP validtion of client certificates from X509 fields
I have requirement to create a Client certificate authenticated VIP with revocation checks. The problem is that the client certificate presented can be issued from one of about 100 different CAs. There is an XML feed which provides me all of the valid CA certificates and I already have a solution to get these into a certificate bundle on the F5, so that's not a problem. I also have an iRule to check the certificate fingerprint against a whitelist, again this works great. However, I am required to check for certificate revocation. Each certificate will have either (or both) a CRL distribution point or an OCSP responder listed in its X509 fields. Is there anyway I can get the 5 to automatically check for certificate revocation against these fields without having to manually import all of the CRL lists and/or setup all the OCSP responders manually? Or failing that, is the a (simplish) way for the F5 to scan the CA bundle and automatically download all the CRL files and concatenate them.Client Authentication - Address of the OCSP responder using AIA extension (LTM only)
Hello folks, With regards to PSD2 Directive we would like to provide TPP (third-party payment service provider) authentication in LTM (without APM) via OCSP. Certificates need to be validated against different OCSP responders, based on the X509 AIA extension. "Authority Information Access". The idea is the following: BIG-IP to authenticate the client (SSL) and to check the client’s certificate revocation status via OCSP + to send X-Client-Certificate to the back-end for further processing (already done via iRule). I have found that there is out of the box irule "_sys_auth_ssl_ocsp", but not sure what is its point exactly and if this irule is trying to reach the OCSP responders using the AIA? Also there are some cases/articles in devcentral which points out that if we leave the URL in the OCSP Responders Configuration under Local Traffic ›› Profiles : Authentication : OCSP Responders ›› New OCSP Responder... - the BIG-IP will use the AIA to contact the OCSP Responders. To get things more complicated .. we need to go to OCSP responders via explicit outbound proxy. Will appreciate any kind of advise and help. Thank you!OCSP authentication query via http proxy
Hello, I need some help with configuring authentication profile for VS. We have service with client authentication using certificates. I need verify validity of client certificate using OCSP. So I've created authentication profile with OCSP responder definition. The missing part is how to send http query via our http proxy gateway? I do not see such option in GUI. There is predefined system iRule called _sys_auth_ssl_ocsp which is responsible for doing query. I beleive that modifying this iRule I could send request via proxy. Could support me with this?
