Hi,
Below is the existing configuration on my F5, but receiving error as below.Kindly verify the configuration and update your comment
b version|grep -iA 1 version
BIG-IP Version 10.2.4 577.0
Final Edition
[root@RYDYDC1GSNLB01:Active] config b virtual SERVICES-T.YESSER.EGOV_443_VS list
virtual SERVICES-T.YESSER.EGOV_443_VS {
snat automap
pool SERVICES-T.YESSER.EGOV_80_POOL
destination x.x.x.x:https
ip protocol tcp
rules {
HSL-LOG
TEST_SSL-ProfileSelect_TCP-Logging
}
persist source_addr_yesser
profiles {
SERVICES-T.YESSER.EGOV_HTTP_X-FORWARD {}
SERVICES-T.YESSER.EGOV_ONECONNECT {}
clientssl {
clientside
}
tcp-lan-optimized {
serverside
}
tcp-wan-optimized {
clientside
}
}
vlans Lb-dmzssl enable
}
[root@RYDYDC1GSNLB01:Active] config b profile AGENCY_CLIENT-AUTHENTICATION_OB_02 list
profile clientssl AGENCY_CLIENT-AUTHENTICATION_OB_02 {
defaults from clientssl
key "YDC_SERVICES-O.YESSER.EGOV_KEY.key"
cert "YDC_SERVICES-O.YESSER.EGOV.crt"
chain "NCDC_NRCA_GCA_SHA2CHAIN.crt"
ca file "NCDC_NRCA_SHA2.crt"
crl file none
client cert ca "NCDC_NRCA_GCA_SHA2CHAIN.crt"
ciphers "DEFAULT"
options dont insert empty fragments
modssl methods disable
cache size 262144
cache timeout 3600
renegotiate enable
renegotiate period indefinite
renegotiate size indefinite
renegotiate max record delay 10
secure renegotiation require
handshake timeout 60
alert timeout 60
peer cert mode require
authenticate once
authenticate depth 9
unclean shutdown enable
strict resume disable
nonssl disable
}
[root@RYDYDC1GSNLB01:Active] config b profile ncdc-ocsp-profile list
profile auth ncdc-ocsp-profile {
defaults from ssl_ocsp
config ncdc-ocsp-config
type ssl ocsp
credential source http basic auth
}
[root@RYDYDC1GSNLB01:Active] config b auth ssl ocsp ncdc-ocsp-config list
auth ssl ocsp ncdc-ocsp-config {
responders NCDC_OCSP
}
[root@RYDYDC1GSNLB01:Active] config b ocsp responder NCDC_OCSP list
ocsp responder NCDC_OCSP {
url "http://x.x.x.x"
nonce disable
}
[root@RYDYDC1GSNLB01:Active] config b rule OCSP-irule list
rule OCSP-irule {
when CLIENT_ACCEPTED {
set tmm_auth_ssl_ocsp_sid 0
set tmm_auth_ssl_ocsp_done 0
set hsl [HSL::open -proto UDP -pool SYSLOG_514_POOL]
}
when CLIENTSSL_CLIENTCERT {
set tmm_auth_ssl_ocsp_done 0
set ssl_cert [SSL::cert 0]
if {$tmm_auth_ssl_ocsp_sid == 0} {
set tmm_auth_ssl_ocsp_sid [AUTH::start pam ncdc-ocsp-profile]
if {[info exists tmm_auth_subscription]} {
AUTH::subscribe $tmm_auth_ssl_ocsp_sid
}
}
SSL::handshake hold
log local0.debug "Client [IP::client_addr] connected with the Client Certificate: [X509::subject $ssl_cert] and checking with OCSP"
HSL::send $hsl "Client [IP::client_addr] connected with the Client Certificate: [X509::subject $ssl_cert] and checking with OCSP"
}
when CLIENTSSL_HANDSHAKE {
set tmm_auth_ssl_ocsp_done 1
}
when AUTH_RESULT {
if {[info exists tmm_auth_ssl_ocsp_sid] and \
($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
set tmm_auth_status [AUTH::status]
if {$tmm_auth_status == 0} {
set tmm_auth_ssl_ocsp_done 1
log local0.debug "OCSP verfication succeeded, [AUTH::status]"
HSL::send $hsl "OCSP verfication from succeeded, [AUTH::status]"
SSL::handshake resume
} elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} {
log local0.debug "OCSP verfication from error, [AUTH::status]"
HSL::send $hsl "OCSP verfication from error, [AUTH::status]"
reject
}
}
}
}
Logs
=======================================================================================================================
Sun Mar 3 11:46:17 AST 2013 info local/tmm tmm[5244] Rule TEST_SSL-ProfileSelect_TCP-Logging : TCP Connection - Started, Time: 2013-03-03 11:46:17, the Client IP: 10.1.1.29 Client Port: 8585 to 10.178.254.30:443
Sun Mar 3 11:46:22 AST 2013 debug local/tmm tmm[5244] Rule OCSP-irule : Client 10.1.1.29 connected with the Client Certificate: CN=demo.yesser.gov.sa,OU=YESSER CSP,OU=Government CA,O=National Center for Digital Certification,C=SA and checking with OCSP
Sun Mar 3 11:46:22 AST 2013 debug local/tmm tmm[5244] Rule OCSP-irule : OCSP verfication from error, 1
Sun Mar 3 11:46:22 AST 2013 info local/tmm1 tmm1[5245] Rule TEST_SSL-ProfileSelect_TCP-Logging : TCP Connection - Started, Time: 2013-03-03 11:46:22, the Client IP: 10.1.1.29 Client Port: 8586 to 10.178.254.30:443
Sun Mar 3 11:46:26 AST 2013 debug local/tmm1 tmm1[5245] Rule OCSP-irule : Client 10.1.1.29 connected with the Client Certificate: CN=demo.yesser.gov.sa,OU=YESSER CSP,OU=Government CA,O=National Center for Digital Certification,C=SA and checking with OCSP
Sun Mar 3 11:46:26 AST 2013 debug local/tmm1 tmm1[5245] Rule OCSP-irule : OCSP verfication from error, 1
Sun Mar 3 11:46:26 AST 2013 info local/tmm tmm[5244] Rule TEST_SSL-ProfileSelect_TCP-Logging : TCP Connection - Started, Time: 2013-03-03 11:46:26, the Client IP: 10.1.1.29 Client Port: 8587 to 10.178.254.30:443
Sun Mar 3 11:46:31 AST 2013 debug local/tmm tmm[5244] Rule OCSP-irule : Client 10.1.1.29 connected with the Client Certificate: CN=demo.yesser.gov.sa,OU=YESSER CSP,OU=Government CA,O=National Center for Digital Certification,C=SA and checking with OCSP
Sun Mar 3 11:46:31 AST 2013 debug local/tmm tmm[5244] Rule OCSP-irule : OCSP verfication from error, 1
Sun Mar 3 11:46:31 AST 2013 info local/tmm1 tmm1[5245] Rule TEST_SSL-ProfileSelect_TCP-Logging : TCP Connection - Started, Time: 2013-03-03 11:46:31, the Client IP: 10.1.1.29 Client Port: 8588 to 10.178.254.30:443