Forum Discussion

barneb01_8208's avatar
barneb01_8208
Icon for Nimbostratus rankNimbostratus
Feb 21, 2012

SSL VS w/OCSP responder - Peer cert verify error

I have a SSL VS configured with a client ssl and OCSP authentication profile and I'm observing SSL hanshake failures even though the OCSP response status is successful (0). I enabled "bigpipe db Log.Ssl.Level debug" and received the following messages. Any ideas on how to troubleshoot this issue is appreciated.

 

 

 

Feb 21 14:39:44 local/tmm1 debug tmm1[5209]: 01260006:7: Peer cert verify error: unsupported certificate purpose (depth 0; cert /CN=nmc60.test.com)

 

 

Feb 21 14:39:44 local/tmm1 debug tmm1[5209]: 01260009:7: Connection error: ssl_shim_vfycert:2348: unsupported certificate purpose (42)

 

 

 

Below is the config I am using...

 

 

BIG-IP 10.2.1

 

 

virtual test_PUAC {

 

snat automap

 

pool test_PUAC

 

destination 192.168.192.200:https

 

ip protocol tcp

 

auth pr_sslocsp_test_nmc_pcrt10

 

profiles {

 

http {}

 

tcp {}

 

test_PCRT_wildcard {

 

clientside

 

}

 

}

 

}

 

profile auth pr_sslocsp_test_nmc_pcrt10 {

 

defaults from ssl_ocsp

 

config ocsp_resp_nmc_pcrt10_conf

 

type ssl ocsp

 

credential source http basic auth

 

}

 

auth ssl ocsp ocsp_resp_nmc_pcrt10_conf {

 

responders ocsp_resp_test_NMC_PCRT10

 

}

 

ocsp responder ocsp_resp_test_NMC_PCRT10 {

 

url "http://10.16.232.247/ocsp"

 

ca file "PCRT_ALL.crt"

 

signer "PCRT_Root-wildcard.crt"

 

sign key "PCRT_Root-wildcard.key"

 

}

 

profile clientssl test_PCRT_wildcard {

 

defaults from clientssl

 

key "PCRT_Root-wildcard.key"

 

cert "PCRT_Root-wildcard.crt"

 

chain "PCRT_ALL.crt"

 

ca file "PCRT_ALL.crt"

 

client cert ca "PCRT_ALL.crt"

 

peer cert mode require

 

}

 

 

 

Brian

 

 

 

 

 

config
design

4 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 21, 2012
    Hi Brian,

     

     

    It sounds like someone's cert (the client or possibly the OCSP server) isn't set with a valid purpose (client or OCSP server). Who has the nmc60.test.com cert installed?

     

     

    Aaron
  • barneb01_8208's avatar
    barneb01_8208
    Icon for Nimbostratus rankNimbostratus
    Feb 24, 2012
    Hi Aaron,

     

    "nmc60.test.com cert" is installed on the client (not f5) and is the cert the f5 is attempting to authenticate via OCSP. The OCSP response is successful but the f5 doesn't like the purpose of the cert. Support had me load the client cert on the f5 and run the following ocsp commands...

     

     

    openssl verify -purpose sslclient -CAfile PCRT_ALL.crt nmc60.test.com.crt

     

    openssl verify -purpose sslserver -CAfile PCRT_ALL.crt nmc60.test.com.crt

     

     

    both commands return the same result:

     

    nmc60.test.com.crt: /CN=nmc60.test.com

     

    error 26 at 0 depth lookup:unsupported certificate purpose

     

    OK

     

     

    We had the admin who provisions the certs modify the purpose and then I ran the openssl command again and got a positive result. Problem now is the OCSP server responds with an "unauthorized" OCSP response with the updated client cert.

     

     

    The unauthorized response is a different issue, but I'm curious about the following...

     

     

    What "purpose type" does the f5 expect when verifying the client cert?

     

    Where in the ltm config can I view how the f5 is attempting to verify the cert and can those parameters be changed?

     

     

     

     

    Brian
    • barneb01_8208's avatar
      barneb01_8208
      Icon for Nimbostratus rankNimbostratus
      Dec 13, 2016

      Hi Emad, Review the "Client Authentication" settings of the SSL client profile assigned to the VS, and note the available "client certificate" options (ignore, require, request).

       

      The "require" setting enforces Client Certificate Authentication w/OCSP. The BIG-IP will request a client certificate and attempt to verify it. An SSL session is established ONLY if a valid client certificate from a trusted CA was presented AND if the client certificate was configured with the "ssl client" purpose.

       

      Brian