[root@ve10:Active] config b version|grep -iA 1 version
BIG-IP Version 10.2.4 655.0
Hotfix HF4 Edition
[root@ve10:Active] config b virtual bar list
virtual bar {
snat automap
pool foo
destination 172.28.19.252:443
ip protocol 6
auth myocsp
profiles {
myclientssl {
clientside
}
tcp {}
}
}
[root@ve10:Active] config b profile myclientssl list
profile clientssl myclientssl {
defaults from clientssl
ca file "ca.crt"
client cert ca "ca.crt"
peer cert mode require
}
[root@ve10:Active] config b profile myocsp list
profile auth myocsp {
defaults from ssl_ocsp
config myocspconfig
type ssl ocsp
credential source http basic auth
rule myrule
}
[root@ve10:Active] config b auth ssl ocsp myocspconfig list
auth ssl ocsp myocspconfig {
responders myocspresponder
}
[root@ve10:Active] config b ocsp responder myocspresponder list
ocsp responder myocspresponder {
url "http://172.28.19.251:8888/"
ignore aia enable
certs disable
verify disable
nonce disable
intern disable
sig verify disable
verify cert disable
chain disable
check certs disable
explicit disable
}
[root@ve10:Active] config b rule myrule list
rule myrule {
when CLIENT_ACCEPTED {
log local0. "--"
set tmm_auth_ssl_ocsp_sid 0
set tmm_auth_ssl_ocsp_done 0
}
when CLIENTSSL_CLIENTCERT {
log local0. "--"
set tmm_auth_ssl_ocsp_done 0
set ssl_cert [SSL::cert 0]
if {$tmm_auth_ssl_ocsp_sid == 0} {
set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
if {[info exists tmm_auth_subscription]} {
AUTH::subscribe $tmm_auth_ssl_ocsp_sid
}
}
AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
AUTH::authenticate $tmm_auth_ssl_ocsp_sid
SSL::handshake hold
log local0.debug "Client [IP::client_addr] connected with the Client Certificate: [X509::subject $ssl_cert] and checking with OCSP"
}
when CLIENTSSL_HANDSHAKE {
log local0. "--"
set tmm_auth_ssl_ocsp_done 1
}
when AUTH_RESULT {
log local0. "--"
if {[info exists tmm_auth_ssl_ocsp_sid] and \
($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
set tmm_auth_status [AUTH::status]
if {$tmm_auth_status == 0} {
set tmm_auth_ssl_ocsp_done 1
log local0.debug "OCSP verfication succeeded, [AUTH::status]"
SSL::handshake resume
} elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} {
log local0.debug "OCSP verfication from error, [AUTH::status]"
reject
}
}
}
}
/var/log/ltm
[root@ve10:Active] config tail -f /var/log/ltm
Mar 2 23:00:36 local/tmm info tmm[22185]: Rule myrule : --
Mar 2 23:00:36 local/tmm info tmm[22185]: Rule myrule : --
Mar 2 23:00:36 local/tmm debug tmm[22185]: Rule myrule : Client 172.28.20.17 connected with the Client Certificate: CN=client1.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US and checking with OCSP
Mar 2 23:00:36 local/tmm info tmm[22185]: Rule myrule : --
Mar 2 23:00:36 local/tmm debug tmm[22185]: Rule myrule : OCSP verfication succeeded, 0
Mar 2 23:00:36 local/tmm info tmm[22185]: Rule myrule : --