OCSP: Bad Request
Hello all. I'm trying to implement OCSP stapling and OCSP monitoring for my SSL certificates. OCSP stapling is enabled but never turned on, and OCSP monitoring fails with "OCSP Connection Error: HTTP response doesn't indicate that it is an OCSP response.". A packet capture shows me a "400 Bad Request" response from the OCSP provider. I'm using certificates from Let's Encrypt on a lab environment, running BigIP 13.1.0.4. The plan is to offload the SSL from the web servers behind the F5, and until this happens, these servers still have their SSL features fully loaded, including the OCSP stapling active and working, using these very same certificates. Followed this article and a few other previous version hints found from the community, to no avail. I'm not sure what I'm missing at the F5 end. Any suggestions? Thanks! [Edit] A few more supporting data: From an external server, to my F5 VIP: $ openssl s_client -connect x.x.x.x:443 -status CONNECTED(00000003) OCSP response: no response sent From an external server, to my live HTTPS server: $ openssl s_client -connect y.y.y.y:443 -status CONNECTED(00000003) OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Produced At: Mar 30 20:28:00 2018 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial Number: 03E41153079FCD7DFCECDBA6FA1C7DEA3C4E Cert Status: good This Update: Mar 30 20:00:00 2018 GMT Next Update: Apr 6 20:00:00 2018 GMT As per the linked article, I changed the logging level to debug (tmsh modify sys db log.ssl.level value debug), absolutely nothing SSL related (in fact, only soap entries whenever GUI received an update) gets recorded on /var/log/ltm logfile. root@(xxx)(cfg-sync Standalone)(Active)(/Common)(tmos) show sys crypto cert-validator ocsp LetsEncrypt_OCSP ------------------------------- Sys::OCSP: LetsEncrypt_OCSP ------------------------------- OCSP Requests 38 Internal Errors 0 Successful Cache Requests 0 Connection Errors HTTP Errors 38 Timeouts 0 Other Failures 0 Response Errors Malformed Requests 0 Internal Errors 0 Try Later Errors 0 Signature Required Errors 0 Unauthorized Errors 0 Response Validation Errors Parsing Failures 0 Verification Errors 0 Validity Errors 0 Other Errors 0 Certificate Status Good 0 Revoked 0 Unknown 0Solved2.9KViews0likes5CommentsDISA OCSP responder sometimes producing errors
Hi, not sure if there are others that have this issue, it seems sporadic. I’m using BigIP v13.1.1 OCSP will sometimes fail and users will fail to login, and it will fail for a random duration of time which makes me think it may be an issue with DISA's OCSP servers. It doesn't happen daily. I have a pretty standard APM setup. No HA, nothing weird. My VPE: Start -> On Demand Cert (request) -> OCSP (/Common/DISA_OCSP, cert type user) -> etc etc -> For my OCSP config I have default settings with the Certificate Authority file as the DOD CA bundle and Verify other is the DOD Email CA bundle. Everything is checked besides Ignore AIA and Trust Other. The error in /var/log/apm is: OCSP Auth agent: Failure status ‘Error querying OCSP responsder *(<-this is a typo in the error)* host (ocsp.disa.mil) path (/)’ Looking at my email cert, it looks like I have two different AIAs. One is a crl.disa.mil url pointing at my CA's DODEMAILCA cer file, the other is ocsp.disa.mil. Can anyone recommend a more stable way to configure this?888Views0likes1CommentOCSP check iRule issues
Hi, so, as i have quite some issues with OCSP/client cert checks using a auth profile with attached irule, i wanted to start from scratch. IF YOU CAN EVEN ONLY ANSWER ONE OF THE QUESTIONS, PLEASE DO SO! While starting with _sys_auth_ssl_ocsp, i noticed a few things: 1) We shouldnt have to do this, at least when we set set tmm_auth_subscription "*" in CLIENT_ACCEPTED, right? if {[info exists tmm_auth_subscription]} { AUTH::subscribe $tmm_auth_ssl_ocsp_sid } Though, can it be somehow possible that we get too much AUTH_RESULT events if we set it to "*"? 2) the AUTH_RESULT event will probably produce conn timeouts: when AUTH_RESULT { if {[info exists tmm_auth_ssl_ocsp_sid] and \ ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} { set tmm_auth_status [AUTH::status] if {$tmm_auth_status == 0} { set tmm_auth_ssl_ocsp_done 1 SSL::handshake resume } elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} { reject } } } If the first "if" statement is not true for whatever reason OR we get a tmm_auth_status of -1 (general OCSP error), the held ssl handshake will never finish and we will run into either the ocsp idle timeout or a tcp timeout; so wouldnt it be generally better to ALWAYS to the SSL::handshake resume and just do a "return" after the reject for that special case? Or is there any special reason we shouldnt resume the handshake here? 3) can someone please explain if {[info exists tmm_auth_ssl_ocsp_sid] and \ ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} { to me? AFAIK, last_event_session_id is the last processed auth event generally. In a high load scenario (and cause the AUTH is most likely multithreaded) it may happen that this is not true. Or is the AUTH_RESULT event called for ALL instances, and this if-statement just means that we want the correct instance to process it? Many thanks in advance, Rene324Views0likes0CommentsEnabling OCSP stapling via f5-sdk fails
I want to enable OCSP stapling for a lot of clientSSL profiles, so I thought if'd use the f5-sdk python library. However, my tests so far fail miserably, even without trying to change the actual setting. Here's what I tested: #! /usr/bin/env python3 from f5.bigip import ManagementRoot mgmt = ManagementRoot("hostname", "username", "password") profile = mgmt.tm.ltm.profile.client_ssls.client_ssl.load(partition="Common", name="myprofile") print(profile.ocspStapling) profile.update() This print the current ocpStapling value ('disabled'), but updating the unchanged profile fails: $ python3 ocsp-test2.py disabled Traceback (most recent call last): File "ocsp-test2.py", line 15, in <module> profile.update() File "/Users/teun/Library/Python/3.7/lib/python/site-packages/f5/bigip/resource.py", line 617, in update self._update(**kwargs) File "/Users/teun/Library/Python/3.7/lib/python/site-packages/f5/bigip/resource.py", line 580, in _update response = session.put(update_uri, json=data_dict, **requests_params) File "/Users/teun/Library/Python/3.7/lib/python/site-packages/icontrol/session.py", line 295, in wrapper raise iControlUnexpectedHTTPError(error_message, response=response) icontrol.exceptions.iControlUnexpectedHTTPError: 400 Unexpected Error: Bad Request for uri: https://hostname:443/mgmt/tm/ltm/profile/client-ssl/~Common~myprofile/ Text: '{"code":400,"message":"\\"{ dont-insert-empty-fragments no-tlsv1.1 single-dh-use no-sslv3 no-tlsv1 }\\" unexpected argument","errorStack":[],"apiError":26214401}' I didn't change any settings of the profile, so why would it fail to update? As a test, I removed these SSL options., but that doesn't help either. The error message changes of course, but updating an unchanged profile still fails: icontrol.exceptions.iControlUnexpected HTTPError: 400 Unexpected Error: Bad Request for uri: https://hostname:443/mgmt/tm/ltm/profile/client-ssl/~Common~myprofile/ Text: '{"code":400,"message":"01b4002a:3: Client SSL profile (/Common/myprofile):cert-key-chain and profile cert/key/chain/passphrase options cannot be specified together.","errorStack":[],"apiError":3}' I really fail to see what's wrong here and what I need to do to get this to work. Any other suggestions on configuring OCSP stapling via python are welcome too.513Views0likes0CommentsOCSP and Comodo cert
Hi all, I was wondering if somebody ran into the same issue with OCSP and Comodo issued certs. Since last week we're getting "OCSP Check Failed" messages for Comodo issued certificates. We did some tcpdumps to figure out what's going on and it seems that Comodo OCSP URL requires a host header. This was the HTTP response to our OCSP request: Invalid URL The requested URL "[no URL]", is invalid. Reference 9.7ce58db.1529652000.5b7f63b A manually performed check confirmed the issue (we're on 12.1.2-HF2): openssl ocsp -issuer comodo-chain-bundle.crt -cert web-certificate.crt -text -url http://ocsp.comodoca.com -no_nonce -verify_other comodo-chain-bundle.crt OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: xxxx Issuer Key Hash: yyyy Serial Number: zzzz Error querying OCSP responder 47881717408264:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:247:Code=400,Reason=Bad Request By adding a host header to the openssl command we were able to get a successful response: openssl ocsp -issuer comodo-chain-bundle.crt -cert web-certificate.crt -text -url http://ocsp.comodoca.com -no_nonce -verify_other comodo-chain-bundle.crt -header "Host" "ocsp.comodoca.com" OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: xxxx Issuer Key Hash: yyyy Serial Number: zzzz OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Produced At: Jun 20 08:45:26 2018 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: xxxx Issuer Key Hash: yyyy Serial Number: zzzz Cert Status: good This Update: Jun 20 08:45:26 2018 GMT Next Update: Jun 27 08:45:26 2018 GMT Signature Algorithm: sha256WithRSAEncryption ---snippp--- Response verify OK web-certificate.crt: good This Update: Jun 20 08:45:26 2018 GMT Next Update: Jun 27 08:45:26 2018 GMT The "web-certificate.crt" is issued by Issuer: COMODO RSA Domain Validation Secure Server CA, COMODO CA Limited Write review of Comodo Our "comodo-chain-bundle.crt" contains Common Name: COMODO RSA Domain Validation Secure Server CA Issuer: COMODO RSA Certification Authority, COMODO CA Limited Write review of Comodo Common Name: COMODO RSA Certification Authority Issuer: COMODO RSA Certification Authority, COMODO CA Limited Our implemented OCSP check doesn't send a host header and we have no issue with certificates issued by other CAs. Does anybody know a workaround? Can we savely add a host header to our OCSP check without affecting the checks of other certificates? Any hint is much appreciated. cheers759Views0likes1CommentEnable OCSP Stapling via REST API
Hi all I'm struggling with the command syntax that will apply my OCSP stabling configuration on a certificate. I have found a workaround by pushing native tmsh commands via the bash api like this: curl -sk -u admin:password POST -H "Content-type: application/json" https://bigip-mgmt-ip/mgmt/tm/util/bash -d "{\"command\":\"run\", \"utilCmdArgs\": \"-c 'tmsh modify sys crypto cert example.com_2021-12-12 cert-validation-options { ocsp } cert-validators replace-all-with { letsencrypt_ocsp_R3 } issuer-cert R3_LE_2025'\"}" It works but I find itcrude and against the idea of using the API. I would very much like to be able to do it all REST API native but all tries ends up in: {"code":415,"message":"Found invalid content-type. The content-type must be application/json. The received content-type is application/x-www-form-urlencoded","errorStack":[],"apiError":1} Any input is very much appricaited!Solved1.6KViews0likes3CommentsCRL & OCSP validtion of client certificates from X509 fields
I have requirement to create a Client certificate authenticated VIP with revocation checks. The problem is that the client certificate presented can be issued from one of about 100 different CAs. There is an XML feed which provides me all of the valid CA certificates and I already have a solution to get these into a certificate bundle on the F5, so that's not a problem. I also have an iRule to check the certificate fingerprint against a whitelist, again this works great. However, I am required to check for certificate revocation. Each certificate will have either (or both) a CRL distribution point or an OCSP responder listed in its X509 fields. Is there anyway I can get the 5 to automatically check for certificate revocation against these fields without having to manually import all of the CRL lists and/or setup all the OCSP responders manually? Or failing that, is the a (simplish) way for the F5 to scan the CA bundle and automatically download all the CRL files and concatenate them.325Views0likes0CommentsClient Authentication - Address of the OCSP responder using AIA extension (LTM only)
Hello folks, With regards to PSD2 Directive we would like to provide TPP (third-party payment service provider) authentication in LTM (without APM) via OCSP. Certificates need to be validated against different OCSP responders, based on the X509 AIA extension. "Authority Information Access". The idea is the following: BIG-IP to authenticate the client (SSL) and to check the client’s certificate revocation status via OCSP + to send X-Client-Certificate to the back-end for further processing (already done via iRule). I have found that there is out of the box irule "_sys_auth_ssl_ocsp", but not sure what is its point exactly and if this irule is trying to reach the OCSP responders using the AIA? Also there are some cases/articles in devcentral which points out that if we leave the URL in the OCSP Responders Configuration under Local Traffic ›› Profiles : Authentication : OCSP Responders ›› New OCSP Responder... - the BIG-IP will use the AIA to contact the OCSP Responders. To get things more complicated .. we need to go to OCSP responders via explicit outbound proxy. Will appreciate any kind of advise and help. Thank you!374Views1like0CommentsOCSP authentication query via http proxy
Hello, I need some help with configuring authentication profile for VS. We have service with client authentication using certificates. I need verify validity of client certificate using OCSP. So I've created authentication profile with OCSP responder definition. The missing part is how to send http query via our http proxy gateway? I do not see such option in GUI. There is predefined system iRule called _sys_auth_ssl_ocsp which is responsible for doing query. I beleive that modifying this iRule I could send request via proxy. Could support me with this?325Views0likes1CommentDynamic OCSP and CRLDP check for SSL Client Authentication
Dear, I have a use case where a virtual server is configured with a client ssl profile and client authentication is enabled. The client certificates can be signed by any CA in a bundle that is assigned to the profile as well. We want to enable the revocation status check based on the information of the certificate, it can be either CRLDP or OCSP. There are some configuration objects in "Local Traffic >> Profiles >> Authentication" but these profiles need static URLs for the CRLDP and OCSP. I also read that this is based on the ACA module that has been deprecated. So I would assume that the only solution would be the APM module, but I would like to get a clear answer if possible. Thanks a lot. Abdessamad514Views0likes1Comment