Brad_Parker
Feb 04, 2015Cirrus
OCSP Stapling
Has anyone successfully got OCSP stapling working in 11.6? If so, can you share your configuration?
Has anyone successfully got OCSP stapling working in 11.6? If so, can you share your configuration?
I haven't been successful either and am working with support get this to work. At the moment engineering is looking at the issues and my configuration 'seems' to be fine (at least according to support).
Keep you updated with the results...
Looking for the same info, so if support has gotten back to you, I'd like to see what you ended up using (you = Ronald)
I managed to get a working environment... As I work with several partitions and routing domains I had several other issues to deal with...
The following steps were done to finally get OCSP stapling to work:
My issues:
Results..
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 42B6511E20AE925461D1611744ECB5A71A74D039
Produced At: May 7 03:35:38 2015 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: D1F1B576F9EEC0C10F7AFC7C3124A9C3625D7C61
Issuer Key Hash: EA4E7CD4802DE5158186268C826DC098A4CF970F
Serial Number: 1121283877D6C3E4AD590147B7F9B0AB5A76
Cert Status: good
This Update: May 7 03:35:38 2015 GMT
Next Update: May 7 15:35:38 2015 GMT
Troubleshooting tips:
I managed to get a working environment... As I work with several partitions and routing domains I had several other issues to deal with...
The following steps were done to finally get OCSP stapling to work:
My issues:
Results..
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 42B6511E20AE925461D1611744ECB5A71A74D039
Produced At: May 7 03:35:38 2015 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: D1F1B576F9EEC0C10F7AFC7C3124A9C3625D7C61
Issuer Key Hash: EA4E7CD4802DE5158186268C826DC098A4CF970F
Serial Number: 1121283877D6C3E4AD590147B7F9B0AB5A76
Cert Status: good
This Update: May 7 03:35:38 2015 GMT
Next Update: May 7 15:35:38 2015 GMT
Troubleshooting tips:
Hello, I have successfully configured OCSP Stapling profile with some help from F5 Support (thanks Melina)
I have a:
Wildcard certificate signed by thawte (let's name it PFX)
thawte intermediate certificate (let's name it CRT-INTR)
thawte root certificat (let's name it CRT-ROOT)
No idea which Sign Hash algo is used by thawte OCSP Responders
So the guide is here:
Upload to BIG-IP client certificate PFX
Upload to BIG-IP certificate bundle. First intermediate CRT-INTR, next root CRT-ROOT. If your chain is deeper, than you need to upload INTR1,INTR2,ROOT [BUNDLE]
Create default DNS Resolver in Network -> DNS Resolvers -> DNS Resolver List [DNS]
Create OCSP Stapling profile Local Traffic -> Profiles -> SSL -> OCSP Stapling [OCSP]
Use created earlier DNS Resolver [DNS], use created earlier Trusted Certificate Authorities [BUNDLE], set Status Age to 86400
Create Client SSL profile with selected created earlier OCSP Stapling profile
Test each Sign Hash algo (SHA1/SHA256) against external OCSP Stapling checker, like https://www.ssllabs.com/ssltest/
Hello! What mean it ltm log file
Sep 22 16:12:23 F5-TEST-VC warning tmm[16256]: 01260024:4: OCSP failure on profile /Click/testjmb_ssl, certificate with issuer /C=US/O=thawte, Inc./OU=Terms of use at https://www.thawte.com/cps (c)06/CN=thawte Extended Validation SSL CA and serial number ffffffffffffffff: HTTP error - - 503
?
I've just done this after setting up new certs from Let's Encrypt.
For anyone else hitting issues with OCSP Stapling, I ran into a few gotchas, including:
a) 11.6.0 HF6 has a default Status Age value of 300. Had to up to 86400 as per previous posters recommendation.
b) The default Sign Hash used to identify the certificate to check is SHA256... Let's Encrypt's OCSP responder won't accept SHA256, it needs to be SHA1.
c) The Let's Encrypt's OCSP responder will not include it's own cert in the response. The "Trusted Responders" option needs to be set properly in the OCSP Stapling profile.
A bit more info at the link below, including examples of debugging using openssl CLI commands.
https://blog.routedlogic.net/?p=1235