Forum Discussion

Simon_Waters_13's avatar
Simon_Waters_13
Icon for Cirrostratus rankCirrostratus
Oct 23, 2014

Troubleshooting OCSP (DNS?) configuration

Now I have 11.6.0

 

Now I have a certificate without SHA-1 (too avoid the Google Chrome degrade next month about certificates that expire after 2016/01/01 using SHA-1 signature).

 

I would like to set up OCSP Stapling.

 

Create a DNS resolver, tell it to forward for zone "." (?!) in route domain 0.

 

Add DNS resolver and certificate authority certificate to OCSP stapling.

 

Add the OCSP stapling to SSL profile at the same time as the certificate.

 

Apply the new SSL profile to the relevant virtual server.

 

Use "openssl s_client -tls1 -tlsextdebug -status -connect www.example.com:443"

 

It says "no OCSP response".

 

Check logs via web interface, nothing obviously wrong.

 

I presume either the DNS resolver in route domain 0 is not working. Or the Trusted Certificate Authority in the OCSP object is the wrong kind of thing?!

 

Or I've messed up setting the SSL profile, as the relationship between "chain" and "OCSP Profile" seems a little odd to my way of thinking, then again unless I add the "chain" and the OCSP profile at the same time the UI complains it already exists.

 

What steps should I take to confirm which of these is affected (we've not needed DNS before on F5s). I'm not sure I really want F5 caching DNS either, but shouldn't matter.

 

Worked examples of setting up OCSP appreciated.

 

8 Replies

  • Has any one starting using OCSP with 11.6 that could lend some assistance? It would be much appreciated since askF5 doesn't seem to have details readily available yet.

     

  • I got a response from Charles in F5 Networks support regarding a ticket raised.

     

    F5 are working on more documentation, but probably they need a few keen souls to go wrong, to see what ways people go wrong having read what is written.

     

  • Not aware of any; I believe my problem stemmed from the assumption that whilst the F5 is doing outbound NAT it would be able to do OCSP requests, but the OCSP requests are trapped by firewall config (That'll stop it working), so probably mine is simply a networking issue not an F5 issue as such, but I've yet to demonstrate that in anger.

     

    Again a support ticket got a comprehensive response from Charles Rosenberg.

     

    Configuring TLS optimally is surprisingly hard work these days, a current F5 box helps in that the defaults are good.

     

    But I think any tooling that can be done to help would be great, in terms of diagnosing resolver, or exposing what parts are failing as precisely as possible. Qualys SSL Labs doing a great job on the testing:

     

    https://www.ssllabs.com/ssltest/index.html

     

  • Now, it's possible to get more information in this official documentation : SOL17111035: Configuring OCSP stapling https://support.f5.com/kb/en-us/solutions/public/k/17/sol17111035.html
  • Excellent, thanks, this is one of those "nice to have" that has lurked on my to-do list. I did receive an excellent support response from F5 previously.