Forum Discussion
hui_37443
Jun 29, 2012Nimbostratus
authentication timeout
I've noticed that OCSP responder never times out. I've managed to make a dummy OCSP server which receives a request & goes to sleep. F5 keeps waiting for the response that never comes back. That makes the browser waiting as well because the SSL handshake is hanging.
Is there a way to instruct F5 to give up and simply declare the authentication has failed?
I am using BIG-IP 10.2.4
3 Replies
Sort By
- Is there a way to instruct F5 to give up and simply declare the authentication has failed?i think you may have to modify ocsp irule. for example, i copied default ocsp irule and put reject command if auth is not done within 5 seconds.
[root@ve1024:Active] config b rule myocsp list rule myocsp { when CLIENT_ACCEPTED { set tmm_auth_ssl_ocsp_sid 0 set tmm_auth_ssl_ocsp_done 0 } when CLIENTSSL_CLIENTCERT { set tmm_auth_ssl_ocsp_done 0 if {$tmm_auth_ssl_ocsp_sid == 0} { set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp] if {[info exists tmm_auth_subscription]} { AUTH::subscribe $tmm_auth_ssl_ocsp_sid } } AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0] AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0] AUTH::authenticate $tmm_auth_ssl_ocsp_sid reject after 5,000ms (5s) set monitor_id [after 5000 { reject }] SSL::handshake hold } when CLIENTSSL_HANDSHAKE { set tmm_auth_ssl_ocsp_done 1 } when AUTH_RESULT { cancle rejection if auth is done before 5s if {[info exists monitor_id]} { after cancel $monitor_id } if {[info exists tmm_auth_ssl_ocsp_sid] and \ ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} { set tmm_auth_status [AUTH::status] if {$tmm_auth_status == 0} { set tmm_auth_ssl_ocsp_done 1 SSL::handshake resume } elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} { reject } } } } from packet trace, bigip sent reset (frame 16) after 5 seconds. No. Time Delta Time Source Src port Destination Dst port Protocol Window BiF Vlan id Length Info 1 2012-06-29 22:48:35.651713 0.000000 172.28.19.253 39185 172.28.19.79 443 TCP 5840 4094 163 IN s0/tmm0 : 39185 > 443 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=950608435 TSecr=0 WS=128 2 2012-06-29 22:48:35.651781 0.000068 172.28.19.79 443 172.28.19.253 39185 TCP 4380 4094 167 OUT s0/tmm0 : 443 > 39185 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=1 TSval=951519299 TSecr=950608435 SACK_PERM=1 3 2012-06-29 22:48:35.652989 0.001208 172.28.19.253 39185 172.28.19.79 443 TCP 5888 4094 155 IN s0/tmm0 : 39185 > 443 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSval=950608437 TSecr=951519299 4 2012-06-29 22:48:35.675901 0.022912 172.28.19.253 39185 172.28.19.79 443 SSLv2 5888 123 4094 278 IN s0/tmm0 : Client Hello 5 2012-06-29 22:48:35.675946 0.000045 172.28.19.79 443 172.28.19.253 39185 TLSv1 4380 805 4094 960 OUT s0/tmm0 : Server Hello, Certificate, Certificate Request, Server Hello Done 6 2012-06-29 22:48:35.677892 0.001946 172.28.19.253 39185 172.28.19.79 443 TCP 7552 4094 155 IN s0/tmm0 : 39185 > 443 [ACK] Seq=124 Ack=806 Win=7552 Len=0 TSval=950608462 TSecr=951519323 7 2012-06-29 22:48:35.684862 0.006970 172.28.19.253 39185 172.28.19.79 443 TLSv1 7552 1065 4094 1220 IN s0/tmm0 : Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message 15 2012-06-29 22:48:35.784907 0.100045 172.28.19.79 443 172.28.19.253 39185 TCP 5568 4094 155 OUT s0/tmm0 : 443 > 39185 [ACK] Seq=806 Ack=1189 Win=5568 Len=0 TSval=951519432 TSecr=950608468 16 2012-06-29 22:48:40.684979 4.900072 172.28.19.79 443 172.28.19.253 39185 TCP 5568 4094 143 OUT s0/tmm0 : 443 > 39185 [RST, ACK] Seq=806 Ack=1189 Win=5568 Len=0
- If you have more than one OCSP server, it would also be good to configure them in a pool and add that to an internal virtual server. You could then configure that internal VS as the OCSP responder IP:port.
- The "after" statement does the trick.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects