K75106155: Configuring OCSP Stapling (13.X - 16.X)

K75106155: Configuring OCSP stapling (13.x - 16.x)

Non-Diagnostic

Original Publication Date: Feb 13, 2019

Update Date: Sep 3, 2021

Topic

This article applies to BIG-IP 13.x - 16.x. For information about other versions, refer to the following article:

K17111035: Configuring OCSP stapling (11.x - 12.x)

You should consider using this procedure under the following condition:

You want to configure the BIG-IP system to use Online Certificate Status Protocol (OCSP) stapling.

Description

OCSP

The original OCSP implementation described in RFC 2560 requires that client applications perform a DNS and an OCSP request, using either HTTP or HTTPs, during the Secure Socket Layer (SSL)/Transport Layer Security (TLS) handshake to validate a secure website's SSL certificate revocation status. The additional DNS and HTTP/HTTPs requests made during the SSL/TLS handshake causes noticeable performance delays for client applications and significantly increases network traffic and processing overhead for the validating OCSP responders. OCSP is introduced to improve SSL/TLS handshake performance while maintaining security.

OCSP stapling

OCSP stapling (described in RFC 6066 and RFC 6960) is a performance improvement to the original OCSP internet protocol used to verify SSL certificate revocation status.

When a secure web server implements OCSP stapling and a remote client application makes a new SSL connection, the secure web server queries the OCSP responder and obtains a signed and time-sensitive OCSP response during the SSL/TLS handshake. The secure web server then responds to the client application on behalf of the OCSP responder, sending (or stapling) the OCSP response in the status_request TLS Certificate Status Request extension. The client application is then able to verify the SSL certificate's revocation status. The secure web server also caches the OCSP response, and subsequent client connections to the same secure web site receive the cached stapled response, which greatly improves overall SSL/TLS handshake performance. While this performance improvement may appear less secure, a trusted entity signs OCSP responses, which allows client applications to verify the authenticity of the response. One possible risk occurs when a certificate revocation notification update (revoked) becomes delayed until the previously cached (good) OCSP response has expired.

Important: The client application must include the status_request extension in its TLS Client Hello handshake message to enable OCSP stapling.

OCSP responses

You can configure the BIG-IP system to use OCSP stapling for websites that are secured using a Client SSL profile. For more information about how a BIG-IP system manages cached OCSP responses, refer to the following list:

Certificate monitoring

The BIG-IP system can monitor the revocation status for SSL certificates. Revocation monitoring works by querying the OCSP server after the cached OCSP response has expired to determine the SSL certificates revocation status. When monitoring is enabled, you can also propagate the revocation status of SSL certificates to virtual servers .

Revoked responses

Revoked responses indefinitely remain in the cache. To remove all cached OCSP responses for a specific virtual server and Client SSL profile, use the Deleting the OCSP response cache procedure.

The nextUpdate extension

OCSP responders can include an optional nextUpdate extension to indicate the time that new certificate revocation status information will be made available. The BIG-IP system does not cache an OCSP response when the nextUpdate extension is missing.

Viewing OCSP profile statistics

There is currently no command available for viewing the OCSP response cache. You can however view OCSP profile statistics such as errors and number of requests. To do so, use the Viewing OCSP profile statistics procedure.

Prerequisites

You must meet the following prerequisites to use this procedure:

You have a remote OCSP responder. You have access to the Configuration utility. You have a virtual server configured to process SSL traffic using a Client SSL profile. You have configured the network time protocol (NTP) on the BIG-IP system and remote OCSP responder. The following service ports are accessible between the BIG-IP system and the OCSP responder: 53 (DNS) and 80 or 443 (OCSP). You have access to a Linux command line if testing is required.

Procedures

Import the CA or OCSP responder signing certificate Configure the OCSP stapling profile Modify the SSL certificate Modify the Client SSL profile Test the OCSP configuration View OCSP profile statistics Delete the OCSP response cache

Import the CA or OCSP responder signing certificate

The BIG-IP system must verify the authenticity of the OCSP responder's SSL certificate. Before configuring the OCSP responder and Client SSL profiles, obtain the Certificate Authority (CA) certificate used to sign the OCSP responder's SSL certificate. You can import the CA certificate by performing the following procedure:

Note: The SSL certificate file should include the BEGIN CERTIFICATE and END CERTIFICATE lines and contain no white space, extra line breaks, or additional characters.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility. 2. Navigate to System > Certificate Management > Traffic Certificate Management > SSL Certificates List. 3. Click Import. 4. From the Import Type list, click Certificate. 5. For Certificate Name, click Create New and type a name for the certificate in the box. 6. For Certificate Source, click Upload File and browse to the file on your computer, or click Paste Text and paste the source location into the box. 7. Click Import.

Configure the OCSP stapling profile

Prior to configuring the OCSP stapling profile, you may need to contact the OCSP responder's administrator to ensure the OCSP options are correctly configured. To configure the OCSP stapling profile, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility. 2. Navigate to System > Certificate Management > Traffic Certificate Management > OCSP. 3. Click Create. 4. Under General Properties, type a unique identifier or name for the OCSP profile.

5. 5. Under Connection, for Use Proxy Server, select the check box if you intend to use servers that can proxy HTTP requests to an external server to fetch responses or leave this check box unselected if you intend to use a domain name in either the OCSP stapling profile's Responder URL option or in the secure website SSL certificate Authority Information Access (AIA) extension to fetch responses. 6. For DNS Resolver/Proxy Server Pool, depending on your selection for the previous setting, specify the appropriate DNS resolver or proxy server, or click + to define a new one. 7. Optionally configure the following Connection settings: Route Domain - Click the route domain the system uses for fetching OCSP responses using HTTP forward proxy, or click + to define a new route domain. Concurrent Connections Limit - Type the maximum number of connections per second allowed for OCSP certificate validation. The default value is 50. Responder URL - Type the HTTP/HTTPs based URL used to override the AIA extension configured in the OCSP responder's SSL/TLS certificate. The default is empty or no value. Timeout - Type the time in seconds that the system waits for a reply from the OCSP responder before dropping the connection. The value should be less than the value set for the handshake timeout in the Client SSL profile referencing the OCSP stapling profile. The default is 8. 8. Optionally configure the following Response Validation settings: Trusted Responders - Click the name of the certificate the system uses for validating the OCSP response when the responder's certificate is omitted from the response. Clock Skew - Type the maximum allowable difference between the OCSP responder and the BIG-IP system, in seconds. The default value is 300.

Important: Configure NTP on both the OCSP responder and BIG-IP system to avoid time issues affecting OCSP responses.

Status Age - Type the maximum allowed lag time in seconds that the BIG-IP system accepts for the thisUpdate time in the OCSP response. If this maximum is exceeded, the system drops the response. If you set this value to 0 (zero), the system skips this validation. The default value is 0 . Options - Select the Strict Responder Certificate Checking check box to require the system to validate OCSP signing extensions. This option is disabled by default. 9. Optionally configure the following Response Caching settings: Timeout - Specify the lifetime of the OCSP response stored in the cache. The time period for cached responses is the minimum of the response validity period of the nextUpdate extension and the configured Timeout. Select Specify to enter a custom value in seconds. The default value is Indefinite. Error Timeout - Type the lifetime of an error response in the cache, in seconds. The default value is 3600. 10. Optionally configure the following Request Signing settings: Certificate - Click the name of the certificate the system uses to sign an OCSP request. The default value is None. Key - Click the name of the key the system uses to sign an OCSP request. The default value is None. Passphrase - Type the passphrase the system uses to sign an OCSP request. Hash Algorithm - Click the name of the hash algorithm the system uses to sign an OCSP request. The default value is SHA256.

11. 11. After you configure the settings, click Finished.

Modify the SSL certificate

You must associate the OCSP profile and the CA or OCSP responder signing certificate, which you imported in the first procedure, with the SSL certificate associated with the Client SSL profile. You can also choose to monitor the SSL certificate's revocation status. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure enables OCSP verification by client applications when they present the TLS status_request extension during the SSL/TLS handshake.

1. Log in to the Configuration utility. 2. Navigate to System > Certificate Management > Traffic Certificate Management > SSL Certificates List. 3. Under Name, click the name of the SSL certificate associated with the Client SSL profile. You obtained this in the Modifying the Client SSL profile procedure. 4. Optionally select the Monitoring Type check box to have the BIG-IP monitor the SSL certificate's revocation status.

Note: You can view all of the SSL certificates with monitoring enabled by navigating to System > Certificate Management > Traffic Certificate Management > SSL Certificates List.

5. For Issuer Certificate, click the CA certificate the system uses to sign the OCSP responder certificate. You imported this in the Importing the CA or OCSP responder signing certificate procedure. 6. For OCSP, click the OCSP profile that you created in the Configuring the OCSP stapling profile procedure. 7. Click Update Status Monitoring.

Modify the Client SSL profile

You must enable OCSP stapling and associate the CA certificate the system uses to sign the OCSP responder certificate with the Client SSL profile. You can also communicate the SSL certificate revocation status to the virtual server by enabling the Notify Certificate Status to Virtual Server option. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure enables OCSP verification by client applications when they present the TLS status_request extension during the SSL/TLS handshake.

1. Log in to the Configuration utility. 2. Navigate to Local Traffic > Profiles > SSL > Client. 3. From the Certificate Key Chain section, click the previously configured SSL certificate and key entry under the Add and Replace buttons.

Note: Make note of the SSL certificate name for the next procedure.

4. For Chain, click the CA certificate the system uses to sign the OCSP responder certificate. You imported this during the Importing the CA or OCSP responder signing certificate procedure. 5. Click Add.

6. 6. Select the OCSP Stapling check box. 7. Optionally select the Notify Certificate Status to Virtual Server check box to communicate SSL certificate revocation status to the virtual server. If an SSL certificate becomes revoked, the BIG-IP system continues to process traffic and displays a status warning message similar to the following example:

Unavailable (Enabled) - The virtual server has clientssl profile(s) using revoked certificate(s)

Note: You must enable OCSP Monitoring Type in the next procedure to communicate revocation status to the Virtual Server.

8. Click Update.

Test the OCSP configuration

You can use the openssl command from a Linux host to test the OCSP stapling after you complete configuration. If any issues arise that indicate OCSP stapling is not working, you can enable keymgmtd debug logging to gather additional diagnostic information logged to the /var/log/ltm file. To test and troubleshoot the OCSP stapling configuration, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the command line of a Linux host. 2. Test the OCSP configuration using the following command syntax:

openssl s_client -connect : -status

For example, to test OCSP stapling for a virtual server named example_ocsp_vip with IP address 192.168.10.100 using service port 443, type the following command:

openssl s_client -connect 192.168.10.100:443 -status

3. The command output should appear similar to the following example. Ensure the OCSP Reponse Status is successful and the Next Update extension is present:

CONNECTED(00000003) OCSP response: ======OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, ST = Wa, O = AskF5, OU = AskF5 CA, CN = ca.askf5.net Produced At: Feb 9 16:34:45 2016 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: EF11617B37AD95E216A8CB95F89222FC15EF74E1 3.

Issuer Key Hash: A8AA1ED4F9F3A74BABFF8B8F73D604123BA0C292 Serial Number: 1005 Cert Status: good This Update: Feb 9 16:34:45 2016 GMT Next Update: Feb 9 16:36:45 2016 GMT

4. If the OCSP response status is not successful, you should gather additional diagnostic information by enabling keymgmtd debug logging. To enable keymgmtd debug logging, type the following command:

tmsh modify sys db log.keymgmtd.level value debug

Important: If you enable keymgmtd debug logging, ensure that you follow step 5 for disabling keymgmtd debug logging once testing is complete.

5. Once troubleshooting is complete, turn off keymgmtd debug logging by entering the following command:

tmsh modify sys log.keymgmtd.level value warning

View OCSP profile statistics

You can view the OCSP response cached associated with a specific SSL certificate by performing one of the following procedures:

Impact of procedure: Performing the following procedures enables OCSP verification by client applications when they present the TLS status_request extension during the SSL/TLS handshake.

View OCSP statistics using the Configuration utility

1. Log in to the Configuration utility. 2. Navigate to System > Certificate Management > Traffic Certificate Management > OCSP. 3. Under Name, click the OCSP profile associated with the SSL certificate and SSL profile. 4. Click Statistics.

View OCSP statistics using the TMOS shell

1. Log in to the TMOS shell (tmsh) by typing the following command:

tmsh

2. To show the OCSP profile statistics for an OCSP profile, use the following command syntax:

show sys crypto cert-validator ocsp

For example, to show the OCSP statistics for the OCSP profile named example_ocsp, type the following command:

show sys crypto cert-validator ocsp example_ocsp

Delete the OCSP response cache You can delete the OCSP response cached associated with a specific SSL certificate by performing one of the following procedures:

Impact of procedure: Performing the following procedures enables OCSPs verification by client applications when they present the TLS status_request extension during the SSL/TLS handshake.

Delete the OCSP response cache using the Configuration utility

1. Log in to the Configuration utility. 2. Navigate to System > Certificate Management > Traffic Certificate Management > SSL Certificates List. 3. Under Name, click the SSL certificate associated with the Client SSL profile. 4. Click Delete OCSP Cache....

Delete the OCSP response cache using tmsh

1. Log in to tmsh by typing the following command:

tmsh

2. To delete the OCSP cache for a virtual server and associated client SSL profile, use the following command syntax:

delete sys crypto cert-validation-response ocsp certificate

For example, to delete the OCSP cache for the SSL certificate named example.crt, type the following command:

delete sys crypto cert-validation-response ocsp certificate example.crt

Supplemental Information

K3122: Using the BIG-IP Configuration utility to add an NTP server K13302: Configuring the BIG-IP system to use an SSL chain certificate (11.x - 16.x) K5532: Configuring the level of information logged for TMM-specific events K10209: Overview of packet tracing with the ssldump utility K411: Overview of packet tracing with the tcpdump utility K14358: Overview of Clustered Multiprocessing (11.3.0 and later)

Applies to:

Product: BIG-IP, BIG-IP APM, BIG-IP ASM, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP PEM 16.X.X, 15.X.X, 14.X.X, 13.X.X