Forum Discussion
hooleylist
Feb 25, 2010Cirrostratus
I'd guess that the DoD client certs need to be checked against the OCSP server and the Verisign client certs need to be checked against the Verisign OCSP server. There are two options I can think of for handling this:
1. On the OCSP servers VIP, add an iRule which checks the request and selects the OCSP pool member based on the request. I think this is probably the simplest and most efficient option. But I'd need to set this up and test to see how easily it would be to determine which CA's client cert is being checked based on the OCSP request.
You can check RFC2560 sections 2.1 and 4.1.1 and/or capture tcpdumps of the OCSP requests to see what in the requests could be used to differentiate the DoD and Verisign requests.
http://tools.ietf.org/html/rfc2560
2. Configure two separate auth profiles--one for each OCSP responder. As you don't know which client cert the client will present until the SSL handshake is done, I think you'd need to use three iRules for this: one to handle the cert requesting and then another each to handle the auth depending on which client cert is provided. I think this would be complicated with three rules.
3. On the OCSP servers VIP, add an iRule which tries each OCSP server until a successful response is received or there are no more OCSP servers to make the request to. Doing this would be inefficient as you'd potentially be making two side band requests to a remote server for each authentication attempt.
Note, the default action for load balancing (if you're testing with the OCSP servers VIP and pool) is to select one pool member for each connection. By default LTM doesn't try multiple pool members for one client request. Or are you testing with multiple responders configured and not a single VIP pointing to the responders? If so, LTM will use the responders in alphabetical order. This is described in SOL7746. I'm not sure what criteria LTM uses to determine when to check another responder. It might just be if a TCP connection can't be established to the prior responder.
SOL7746: Ordering Online Certificate Status Protocol (OCSP) responders in the SSL OCSP profile
https://support.f5.com/kb/en-us/solutions/public/7000/700/sol7746.html
I am a bit swamped this week, so I don't think I'm going to have time to test this. I can try later next week though. Else, if you try any of these options and run into issues, let me know.
Thanks,
Aaron