Forum Discussion

midhun_108442's avatar
midhun_108442
Icon for Nimbostratus rankNimbostratus
Mar 02, 2013

OCSP Irule help needed

Hi,

 

I am in need of testing an irule , I am trying to direct traffic to an OCSP responder. I have compiled this Irule and need to see if this is workable?

 

 

when CLIENT_ACCEPTED {

 

set tmm_auth_ssl_ocsp_sid 0

 

set tmm_auth_ssl_ocsp_done 0

 

set hsl [HSL::open -proto UDP -pool SYSLOG_514_POOL]

 

}

 

when CLIENTSSL_CLIENTCERT {

 

set tmm_auth_ssl_ocsp_done 0

 

set ssl_cert [SSL::cert 0]

 

if {$tmm_auth_ssl_ocsp_sid == 0} {

 

set tmm_auth_ssl_ocsp_sid [AUTH::start pam ncdc-ocsp-profile]

 

if {[info exists tmm_auth_subscription]} {

 

AUTH::subscribe $tmm_auth_ssl_ocsp_sid

 

}

 

}

 

SSL::handshake hold

 

log local0.debug "Client [IP::client_addr] connected with the Client Certificate: [X509::subject $ssl_cert] and checking with OCSP"

 

HSL::send $hsl "Client [IP::client_addr] connected with the Client Certificate: [X509::subject $ssl_cert] and checking with OCSP"

 

}

 

when CLIENTSSL_HANDSHAKE {

 

set tmm_auth_ssl_ocsp_done 1

 

}

 

when AUTH_RESULT {

 

if {[info exists tmm_auth_ssl_ocsp_sid] and \

 

($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {

 

set tmm_auth_status [AUTH::status]

 

if {$tmm_auth_status == 0} {

 

set tmm_auth_ssl_ocsp_done 1

 

log local0.debug "OCSP verfication succeeded, [AUTH::status]"

 

HSL::send $hsl "OCSP verfication from succeeded, [AUTH::status]"

 

SSL::handshake resume

 

} elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} {

 

log local0.debug "OCSP verfication from error, [AUTH::status]"

 

HSL::send $hsl "OCSP verfication from error, [AUTH::status]"

 

reject

 

}

 

}

 

}

 

I am currently running 10.2.4 but created this irule on version 10.2.2

 

 

Regards,

 

Midhun P.K

 

application delivery
dev
devops
iRules

5 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 02, 2013
    [root@ve10:Active] config  b version|grep -iA 1 version
BIG-IP Version 10.2.4 655.0
Hotfix HF4 Edition

[root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.252:443
   ip protocol 6
   auth myocsp
   profiles {
      myclientssl {
         clientside
      }
      tcp {}
   }
}
[root@ve10:Active] config  b profile myclientssl list
profile clientssl myclientssl {
   defaults from clientssl
   ca file "ca.crt"
   client cert ca "ca.crt"
   peer cert mode require
}
[root@ve10:Active] config  b profile myocsp list
profile auth myocsp {
   defaults from ssl_ocsp
   config myocspconfig
   type ssl ocsp
   credential source http basic auth
   rule myrule
}
[root@ve10:Active] config  b auth ssl ocsp myocspconfig list
auth ssl ocsp myocspconfig {
   responders myocspresponder
}
[root@ve10:Active] config  b ocsp responder myocspresponder list
ocsp responder myocspresponder {
   url "http://172.28.19.251:8888/"
   ignore aia enable
   certs disable
   verify disable
   nonce disable
   intern disable
   sig verify disable
   verify cert disable
   chain disable
   check certs disable
   explicit disable
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
  log local0. "--"
  set tmm_auth_ssl_ocsp_sid 0
  set tmm_auth_ssl_ocsp_done 0
}
when CLIENTSSL_CLIENTCERT {
  log local0. "--"
  set tmm_auth_ssl_ocsp_done 0
  set ssl_cert [SSL::cert 0]
  if {$tmm_auth_ssl_ocsp_sid == 0} {
    set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
    if {[info exists tmm_auth_subscription]} {
      AUTH::subscribe $tmm_auth_ssl_ocsp_sid
    }
  }
  AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
  AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
  AUTH::authenticate $tmm_auth_ssl_ocsp_sid
  SSL::handshake hold
  log local0.debug "Client [IP::client_addr] connected with the Client Certificate: [X509::subject $ssl_cert] and checking with OCSP"
}
when CLIENTSSL_HANDSHAKE {
  log local0. "--"
  set tmm_auth_ssl_ocsp_done 1
}
when AUTH_RESULT {
  log local0. "--"
  if {[info exists tmm_auth_ssl_ocsp_sid] and \
      ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
    set tmm_auth_status [AUTH::status]
    if {$tmm_auth_status == 0} {
      set tmm_auth_ssl_ocsp_done 1
      log local0.debug "OCSP verfication succeeded, [AUTH::status]"
      SSL::handshake resume
    } elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} {
      log local0.debug "OCSP verfication from  error, [AUTH::status]"
      reject
    }
  }
}
}

 /var/log/ltm

[root@ve10:Active] config  tail -f /var/log/ltm
Mar  2 23:00:36 local/tmm info tmm[22185]: Rule myrule : --
Mar  2 23:00:36 local/tmm info tmm[22185]: Rule myrule : --
Mar  2 23:00:36 local/tmm debug tmm[22185]: Rule myrule : Client 172.28.20.17 connected with the Client Certificate: CN=client1.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US and checking with OCSP
Mar  2 23:00:36 local/tmm info tmm[22185]: Rule myrule : --
Mar  2 23:00:36 local/tmm debug tmm[22185]: Rule myrule : OCSP verfication succeeded, 0
Mar  2 23:00:36 local/tmm info tmm[22185]: Rule myrule : --
  • midhun_108442's avatar
    midhun_108442
    Icon for Nimbostratus rankNimbostratus
    Mar 03, 2013
    Hi,

     

     

    Below is the existing configuration on my F5, but receiving error as below.Kindly verify the configuration and update your comment

     

     

    b version|grep -iA 1 version

     

    BIG-IP Version 10.2.4 577.0

     

    Final Edition

     

    [root@RYDYDC1GSNLB01:Active] config b virtual SERVICES-T.YESSER.EGOV_443_VS list

     

    virtual SERVICES-T.YESSER.EGOV_443_VS {

     

    snat automap

     

    pool SERVICES-T.YESSER.EGOV_80_POOL

     

    destination x.x.x.x:https

     

    ip protocol tcp

     

    rules {

     

    HSL-LOG

     

    TEST_SSL-ProfileSelect_TCP-Logging

     

    }

     

    persist source_addr_yesser

     

    profiles {

     

    SERVICES-T.YESSER.EGOV_HTTP_X-FORWARD {}

     

    SERVICES-T.YESSER.EGOV_ONECONNECT {}

     

    clientssl {

     

    clientside

     

    }

     

    tcp-lan-optimized {

     

    serverside

     

    }

     

    tcp-wan-optimized {

     

    clientside

     

    }

     

    }

     

    vlans Lb-dmzssl enable

     

    }

     

    [root@RYDYDC1GSNLB01:Active] config b profile AGENCY_CLIENT-AUTHENTICATION_OB_02 list

     

    profile clientssl AGENCY_CLIENT-AUTHENTICATION_OB_02 {

     

    defaults from clientssl

     

    key "YDC_SERVICES-O.YESSER.EGOV_KEY.key"

     

    cert "YDC_SERVICES-O.YESSER.EGOV.crt"

     

    chain "NCDC_NRCA_GCA_SHA2CHAIN.crt"

     

    ca file "NCDC_NRCA_SHA2.crt"

     

    crl file none

     

    client cert ca "NCDC_NRCA_GCA_SHA2CHAIN.crt"

     

    ciphers "DEFAULT"

     

    options dont insert empty fragments

     

    modssl methods disable

     

    cache size 262144

     

    cache timeout 3600

     

    renegotiate enable

     

    renegotiate period indefinite

     

    renegotiate size indefinite

     

    renegotiate max record delay 10

     

    secure renegotiation require

     

    handshake timeout 60

     

    alert timeout 60

     

    peer cert mode require

     

    authenticate once

     

    authenticate depth 9

     

    unclean shutdown enable

     

    strict resume disable

     

    nonssl disable

     

    }

     

    [root@RYDYDC1GSNLB01:Active] config b profile ncdc-ocsp-profile list

     

    profile auth ncdc-ocsp-profile {

     

    defaults from ssl_ocsp

     

    config ncdc-ocsp-config

     

    type ssl ocsp

     

    credential source http basic auth

     

    }

     

    [root@RYDYDC1GSNLB01:Active] config b auth ssl ocsp ncdc-ocsp-config list

     

    auth ssl ocsp ncdc-ocsp-config {

     

    responders NCDC_OCSP

     

    }

     

    [root@RYDYDC1GSNLB01:Active] config b ocsp responder NCDC_OCSP list

     

    ocsp responder NCDC_OCSP {

     

    url "http://x.x.x.x"

     

    nonce disable

     

    }

     

    [root@RYDYDC1GSNLB01:Active] config b rule OCSP-irule list

     

    rule OCSP-irule {

     

    when CLIENT_ACCEPTED {

     

    set tmm_auth_ssl_ocsp_sid 0

     

    set tmm_auth_ssl_ocsp_done 0

     

    set hsl [HSL::open -proto UDP -pool SYSLOG_514_POOL]

     

    }

     

    when CLIENTSSL_CLIENTCERT {

     

    set tmm_auth_ssl_ocsp_done 0

     

    set ssl_cert [SSL::cert 0]

     

    if {$tmm_auth_ssl_ocsp_sid == 0} {

     

    set tmm_auth_ssl_ocsp_sid [AUTH::start pam ncdc-ocsp-profile]

     

    if {[info exists tmm_auth_subscription]} {

     

    AUTH::subscribe $tmm_auth_ssl_ocsp_sid

     

    }

     

    }

     

    SSL::handshake hold

     

    log local0.debug "Client [IP::client_addr] connected with the Client Certificate: [X509::subject $ssl_cert] and checking with OCSP"

     

    HSL::send $hsl "Client [IP::client_addr] connected with the Client Certificate: [X509::subject $ssl_cert] and checking with OCSP"

     

    }

     

    when CLIENTSSL_HANDSHAKE {

     

    set tmm_auth_ssl_ocsp_done 1

     

    }

     

    when AUTH_RESULT {

     

    if {[info exists tmm_auth_ssl_ocsp_sid] and \

     

    ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {

     

    set tmm_auth_status [AUTH::status]

     

    if {$tmm_auth_status == 0} {

     

    set tmm_auth_ssl_ocsp_done 1

     

    log local0.debug "OCSP verfication succeeded, [AUTH::status]"

     

    HSL::send $hsl "OCSP verfication from succeeded, [AUTH::status]"

     

    SSL::handshake resume

     

    } elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} {

     

    log local0.debug "OCSP verfication from error, [AUTH::status]"

     

    HSL::send $hsl "OCSP verfication from error, [AUTH::status]"

     

    reject

     

    }

     

    }

     

    }

     

    }

     

     

     

    Logs

     

    =======================================================================================================================

     

    Sun Mar 3 11:46:17 AST 2013 info local/tmm tmm[5244] Rule TEST_SSL-ProfileSelect_TCP-Logging : TCP Connection - Started, Time: 2013-03-03 11:46:17, the Client IP: 10.1.1.29 Client Port: 8585 to 10.178.254.30:443

     

    Sun Mar 3 11:46:22 AST 2013 debug local/tmm tmm[5244] Rule OCSP-irule : Client 10.1.1.29 connected with the Client Certificate: CN=demo.yesser.gov.sa,OU=YESSER CSP,OU=Government CA,O=National Center for Digital Certification,C=SA and checking with OCSP

     

    Sun Mar 3 11:46:22 AST 2013 debug local/tmm tmm[5244] Rule OCSP-irule : OCSP verfication from error, 1

     

    Sun Mar 3 11:46:22 AST 2013 info local/tmm1 tmm1[5245] Rule TEST_SSL-ProfileSelect_TCP-Logging : TCP Connection - Started, Time: 2013-03-03 11:46:22, the Client IP: 10.1.1.29 Client Port: 8586 to 10.178.254.30:443

     

    Sun Mar 3 11:46:26 AST 2013 debug local/tmm1 tmm1[5245] Rule OCSP-irule : Client 10.1.1.29 connected with the Client Certificate: CN=demo.yesser.gov.sa,OU=YESSER CSP,OU=Government CA,O=National Center for Digital Certification,C=SA and checking with OCSP

     

    Sun Mar 3 11:46:26 AST 2013 debug local/tmm1 tmm1[5245] Rule OCSP-irule : OCSP verfication from error, 1

     

    Sun Mar 3 11:46:26 AST 2013 info local/tmm tmm[5244] Rule TEST_SSL-ProfileSelect_TCP-Logging : TCP Connection - Started, Time: 2013-03-03 11:46:26, the Client IP: 10.1.1.29 Client Port: 8587 to 10.178.254.30:443

     

    Sun Mar 3 11:46:31 AST 2013 debug local/tmm tmm[5244] Rule OCSP-irule : Client 10.1.1.29 connected with the Client Certificate: CN=demo.yesser.gov.sa,OU=YESSER CSP,OU=Government CA,O=National Center for Digital Certification,C=SA and checking with OCSP

     

    Sun Mar 3 11:46:31 AST 2013 debug local/tmm tmm[5244] Rule OCSP-irule : OCSP verfication from error, 1

     

    Sun Mar 3 11:46:31 AST 2013 info local/tmm1 tmm1[5245] Rule TEST_SSL-ProfileSelect_TCP-Logging : TCP Connection - Started, Time: 2013-03-03 11:46:31, the Client IP: 10.1.1.29 Client Port: 8588 to 10.178.254.30:443

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 03, 2013
    At the very least you're not including the AUTH::authenticate section in your code, which sends the OCSP request (and certificate data) to PAM.

     

     

    
AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
AUTH::authenticate $tmm_auth_ssl_ocsp_sid

     

     

    I'm actually a little surprised that AUTH_RESULT is even firing, but the error indicates that the process failed. If you watch the network traffic with TCPDUMP, I'm guessing that you never see an OCSP request leave the BIG-IP.

     

  • midhun_108442's avatar
    midhun_108442
    Icon for Nimbostratus rankNimbostratus
    Mar 04, 2013
    Hi,

     

     

    I Updated the script with AUTH section , but getting an error as below

     

     

    tail -f /var/log/ltm

     

    Mar 4 11:12:44 local/tmm1 info tmm1[5245]: Rule TEST_SSL-ProfileSelect_TCP-Logging : TCP Connection - Started, Time: 2013-03-04 11:12:44, the Client IP: 10.1.1.29 Client Port: 17774 to 10.178.254.30:443

     

    Mar 4 11:12:49 local/tmm1 err tmm1[5245]: 01220001:3: TCL error: while executing "AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]"

     

    Mar 4 11:12:49 local/tmm info tmm[5244]: Rule TEST_SSL-ProfileSelect_TCP-Logging : TCP Connection - Started, Time: 2013-03-04 11:12:49, the Client IP: 10.1.1.29 Client Port: 17775 to 10.178.254.30:443

     

    Mar 4 11:12:53 local/tmm err tmm[5244]: 01220001:3: TCL error: while executing "AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]"

     

    Mar 4 11:12:54 local/tmm1 info tmm1[5245]: Rule TEST_SSL-ProfileSelect_TCP-Logging : TCP Connection - Started, Time: 2013-03-04 11:12:54, the Client IP: 10.1.1.29 Client Port: 17776 to 10.178.254.30:443

     

    Mar 4 11:12:58 local/tmm1 err tmm1[5245]: 01220001:3: TCL error: while executing "AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]"

     

    Mar 4 11:12:58 local/tmm info tmm[5244]: Rule TEST_SSL-ProfileSelect_TCP-Logging : TCP Connection - Started, Time: 2013-03-04 11:12:58, the Client IP: 10.1.1.29 Client Port: 17777 to 10.178.254.30:443

     

    Mar 4 11:13:03 local/tmm err tmm[5244]: 01220001:3: TCL error: while executing "AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]"

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 04, 2013
    Given that you're not doing too much customization, I recommend starting with a copy of the default OCSP iRule to make sure your other configurations are correct, and then add your logging statements after you know everything else works.