barneb01_8208
Feb 21, 2012Nimbostratus
SSL VS w/OCSP responder - Peer cert verify error
I have a SSL VS configured with a client ssl and OCSP authentication profile and I'm observing SSL hanshake failures even though the OCSP response status is successful (0). I enabled "bigpipe db Log.Ssl.Level debug" and received the following messages. Any ideas on how to troubleshoot this issue is appreciated.
Feb 21 14:39:44 local/tmm1 debug tmm1[5209]: 01260006:7: Peer cert verify error: unsupported certificate purpose (depth 0; cert /CN=nmc60.test.com)
Feb 21 14:39:44 local/tmm1 debug tmm1[5209]: 01260009:7: Connection error: ssl_shim_vfycert:2348: unsupported certificate purpose (42)
Below is the config I am using...
BIG-IP 10.2.1
virtual test_PUAC {
snat automap
pool test_PUAC
destination 192.168.192.200:https
ip protocol tcp
auth pr_sslocsp_test_nmc_pcrt10
profiles {
http {}
tcp {}
test_PCRT_wildcard {
clientside
}
}
}
profile auth pr_sslocsp_test_nmc_pcrt10 {
defaults from ssl_ocsp
config ocsp_resp_nmc_pcrt10_conf
type ssl ocsp
credential source http basic auth
}
auth ssl ocsp ocsp_resp_nmc_pcrt10_conf {
responders ocsp_resp_test_NMC_PCRT10
}
ocsp responder ocsp_resp_test_NMC_PCRT10 {
url "http://10.16.232.247/ocsp"
ca file "PCRT_ALL.crt"
signer "PCRT_Root-wildcard.crt"
sign key "PCRT_Root-wildcard.key"
}
profile clientssl test_PCRT_wildcard {
defaults from clientssl
key "PCRT_Root-wildcard.key"
cert "PCRT_Root-wildcard.crt"
chain "PCRT_ALL.crt"
ca file "PCRT_ALL.crt"
client cert ca "PCRT_ALL.crt"
peer cert mode require
}
Brian