0_11329
Jun 03, 2008Nimbostratus
Valid certificate is identified as revoked by "OCSP Authentication error redirect" IRule
Hi,
As part of the implementation of a PKI, I try to use the "OCSP Authentication error redirect" IRule in a BigIP 1500 LTM (version 9.3.1) intended to redirect the Client browser toward a specific web page in the case where the authentication failed (no Client certificate, expired certificates, revoked certificate, others)
I have installed the relevant CA in the BigIP.
And...
We meet an authentication problem that we do not explain : a valid certificate is identified by the IRule as revoked, what does not seem correspond to a normal functioning, according to me.
However, the "OCSP Authentication error redirect" IRule is classified as ***** 2nd Place Customer Winner ***** !!! So I tell myself that the rule must work properly...
Missed something ?
Will apreaciate your point of you & experiences ;7) Thanks a lot in advance.
"OCSP Authentication error redirect" IRule
-----------------------------------------------------------------------------------
SSL::handshake resume
lset ssl_array 1 "auth_failure"
session add ssl $id $ssl_array 21600
}
}
when AUTH_WANTCREDENTIAL {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
reject
log "[IP::client_addr] WANTCREDENTIAL"
}
}
when AUTH_ERROR {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
lset ssl_array 1 "auth_failure"
session add ssl $id $ssl_array 21600
log "[IP::client_addr] AUTHERROR"
}
}
when HTTP_REQUEST {
set id [SSL::sessionid]
set ssl_array1 [session lookup ssl $id]
set ssl_data0 [lindex $ssl_array1 0]
set ssl_data1 [lindex $ssl_array1 1]
if { $ssl_data0 contains "expired" } {
set fail_payload_part1 ""
set fail_payload_part2 "You appear to have a certificate that has expired."
set fail_payload_part3 "If you feel you have received this message in error,"
set fail_payload_part4 "please contact the appropriate help center"
set fail_payload [concat $fail_payload_part1 $fail_payload_part2 $fail_payload_part3 $fail_payload_part4]
HTTP::respond 200 content $fail_payload
} elseif { $ssl_data1 contains "auth_failure" } {
set fail_payload_part1 ""
set fail_payload_part2 "You appear to have a certificate that has been revoked."
set fail_payload_part3 "If you feel you have received this message in error,"
set fail_payload_part4 "please contact the appropriate help center"
set fail_payload [concat $fail_payload_part1 $fail_payload_part2 $fail_payload_part3 $fail_payload_part4]
HTTP::respond 200 content $fail_payload
} elseif { $ssl_data0 contains "ok" } {
HTTP::header insert SSLCLientCertStatus $ssl_data1
} else {
set fail_payload_part1 ""
set fail_payload_part2 "It appears that you either do not have a valid DoD PKI certificate installed"
set fail_payload_part3 "and functioning in your browser or your session has timed-out. If you feel you have received"
set fail_payload_part4 "this message in error, please try connecting again or contact the appropriate help center"
set fail_payload [concat $fail_payload_part1 $fail_payload_part2 $fail_payload_part3 $fail_payload_part4]
HTTP::respond 200 content $fail_payload
}
}
-----------------------------------------------------------------------------------