tatsu
Oct 23, 2019Nimbostratus
iRule for OSCP auth
Hi.
I'm trying HTTPS traffic offload with client authentication using BIG-IP VE on AWS.
And when Client Cert is expired or revoked, I want to show the user another web page.
I am going to use iRule to implement this.
Now I use private CA and use this for OSCP authentication, but I didn't work as expected.
Both traffic valid cert and revoked cert logged as "tmm[10048]: Rule /Common/_03_test_rule <CLIENTSSL_CLIENTCERT>: Cert verify result - ok".
"03_test_rule"
when CLIENTSSL_CLIENTCERT {
set error_code [SSL::verify_result]
log local0. "Cert verify result - [X509::verify_cert_error_string $error_code]"
}
But in this case, HTTP access worked correctly.
- Valid Cert -> could access to virtual server
- Revoked Cert -> could not access to virtual server (Browse msg "Can't connect security to this page")
I wonder why web access is (correctolly) reject but oscp auth return not 27(X509_V_ERR_CERT_REVOKED) but 0(X509_V_OK).
./ltm:Oct 17 15:23:41 ip-10-200-10-10 info tmm[10048]: Rule /Common/_03_test_rule <CLIENTSSL_CLIENTCERT>: Cert verify result - ok
When I use CRL local file for auth, it works fine.
./ltm:Oct 17 15:27:30 ip-10-200-10-10 info tmm1[10048]: Rule /Common/_03_test_rule <CLIENTSSL_CLIENTCERT>: Cert verify result - certificate revoked
BIG IP VE version is BIG-IP ver 15.0.1 build 0.0.11.
Regards,