Nimbostratus
Is there a way to instruct F5 to give up and simply declare the authentication has failed?
I am using BIG-IP 10.2.4
Employee
[root@ve1024:Active] config b rule myocsp list
rule myocsp {
when CLIENT_ACCEPTED {
set tmm_auth_ssl_ocsp_sid 0
set tmm_auth_ssl_ocsp_done 0
}
when CLIENTSSL_CLIENTCERT {
set tmm_auth_ssl_ocsp_done 0
if {$tmm_auth_ssl_ocsp_sid == 0} {
set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
if {[info exists tmm_auth_subscription]} {
AUTH::subscribe $tmm_auth_ssl_ocsp_sid
}
}
AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
AUTH::authenticate $tmm_auth_ssl_ocsp_sid
reject after 5,000ms (5s)
set monitor_id [after 5000 { reject }]
SSL::handshake hold
}
when CLIENTSSL_HANDSHAKE {
set tmm_auth_ssl_ocsp_done 1
}
when AUTH_RESULT {
cancle rejection if auth is done before 5s
if {[info exists monitor_id]} { after cancel $monitor_id }
if {[info exists tmm_auth_ssl_ocsp_sid] and \
($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
set tmm_auth_status [AUTH::status]
if {$tmm_auth_status == 0} {
set tmm_auth_ssl_ocsp_done 1
SSL::handshake resume
} elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} {
reject
}
}
}
}
from packet trace, bigip sent reset (frame 16) after 5 seconds.
No. Time Delta Time Source Src port Destination Dst port Protocol Window BiF Vlan id Length Info
1 2012-06-29 22:48:35.651713 0.000000 172.28.19.253 39185 172.28.19.79 443 TCP 5840 4094 163 IN s0/tmm0 : 39185 > 443 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=950608435 TSecr=0 WS=128
2 2012-06-29 22:48:35.651781 0.000068 172.28.19.79 443 172.28.19.253 39185 TCP 4380 4094 167 OUT s0/tmm0 : 443 > 39185 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=1 TSval=951519299 TSecr=950608435 SACK_PERM=1
3 2012-06-29 22:48:35.652989 0.001208 172.28.19.253 39185 172.28.19.79 443 TCP 5888 4094 155 IN s0/tmm0 : 39185 > 443 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSval=950608437 TSecr=951519299
4 2012-06-29 22:48:35.675901 0.022912 172.28.19.253 39185 172.28.19.79 443 SSLv2 5888 123 4094 278 IN s0/tmm0 : Client Hello
5 2012-06-29 22:48:35.675946 0.000045 172.28.19.79 443 172.28.19.253 39185 TLSv1 4380 805 4094 960 OUT s0/tmm0 : Server Hello, Certificate, Certificate Request, Server Hello Done
6 2012-06-29 22:48:35.677892 0.001946 172.28.19.253 39185 172.28.19.79 443 TCP 7552 4094 155 IN s0/tmm0 : 39185 > 443 [ACK] Seq=124 Ack=806 Win=7552 Len=0 TSval=950608462 TSecr=951519323
7 2012-06-29 22:48:35.684862 0.006970 172.28.19.253 39185 172.28.19.79 443 TLSv1 7552 1065 4094 1220 IN s0/tmm0 : Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message
15 2012-06-29 22:48:35.784907 0.100045 172.28.19.79 443 172.28.19.253 39185 TCP 5568 4094 155 OUT s0/tmm0 : 443 > 39185 [ACK] Seq=806 Ack=1189 Win=5568 Len=0 TSval=951519432 TSecr=950608468
16 2012-06-29 22:48:40.684979 4.900072 172.28.19.79 443 172.28.19.253 39185 TCP 5568 4094 143 OUT s0/tmm0 : 443 > 39185 [RST, ACK] Seq=806 Ack=1189 Win=5568 Len=0
Cirrostratus
With or without an OCSP virtual server, you could configure a pool containing the OCSP server(s) with a health monitor and check for [active_members ocsp_pool] > 0 before attempting the auth from the OCSP iRule. This will help you avoid attempting auth if the OCSP server(s) are unreachable.
Aaron
Nimbostratus
Thanks