K17111035: Configuring OCSP stapling (11.x - 12.x)
Non-Diagnostic
Original Publication Date: Apr 1, 2016
Update Date: Sep 14, 2019
Topic
This article applies to BIG-IP 11.x though 12.x. For information about other versions, refer to the following article:
K75106155: Configuring OCSP stapling (13.x - 15.x)
You should consider using this procedure under the following condition:
You want to configure the BIG-IP system to use Online Certificate Status Protocol (OCSP) stapling.
Description
OCSP
The original OCSP implementation described in RFC 2560 requires that client applications perform a DNS and an OCSP request, using either HTTP or HTTPs, during the Secure Socket Layer (SSL)/Transport Layer Security (TLS) handshake to validate a secure website's SSL certificate revocation status. The additional DNS and HTTP/HTTPs requests made during the SSL/TLS handshake causes noticeable performance delays for client applications and significantly increases network traffic and processing overhead for the validating OCSP responders. OCSP is introduced to improve SSL/TLS handshake performance while maintaining security.
OCSP Stapling
OCSP stapling (described in RFC 6066 and RFC 6960) is a performance improvement to the original OCSP internet protocol used to verify SSL certificate revocation status.
When a secure web server implements OCSP stapling and a remote client application makes a new SSL connection, the secure web server queries the OCSP responder and obtains a signed and time-sensitive OCSP response during the SSL/TLS handshake. The secure web server then responds to the client application on behalf of the OCSP responder, sending (or stapling) the OCSP response in the status_request TLS Certificate Status Request extension. The client application is then able to verify the SSL certificate's revocation status. The secure web server also caches the OCSP response, and subsequent client connections to the same secure web site receive the cached stapled response, which greatly improves overall SSL/TLS handshake performance.
While this performance improvement may appear less secure, a trusted entity signs OCSP responses, which allows client applications to verify the authenticity of the response. One possible risk occurs when a certificate revocation notification update (revoked) becomes delayed until the previously cached (good) OCSP response has expired.
Important: The client application must include the status_request extension in its TLS Client Hello handshake message to enable OCSP stapling.
BIG-IP system
Beginning in BIG-IP 11.6.0, you can configure the BIG-IP system to use OCSP stapling for websites that are secured using a Client SSL profile. For more information about how a BIG-IP system manages cached OCSP responses, refer to the following list:
Multiple TMMs
For BIG-IP systems with multiple Traffic Management Microkernels (TMMs), each TMM maintains its own OCSP response cache. The BIG-IP system continues to query the OCSP responder until each TMM has its own cached copy of an OCSP response. Therefore, you must make an OCSP request for the same secure website until each TMM has its own cached copy.
Revoked responses
Revoked responses indefinitely remain in the cache. To remove all cached OCSP responses for a specific virtual server and Client SSL profile, use the following command syntax:
tmsh delete ltm clientssl ocsp-stapling-responses clientssl-profile
For example, to delete all of the cached OCSP responses for the virtual server named example_ocsp_vip referencing the Client SSL profile named example_ssl_profile, type the following command:
tmsh delete ltm clientssl ocsp-stapling-responses clientssl-profile example_ssl_profile virtual example_ocsp_vip
The nextUpdate extension
OCSP responders can include an optional nextUpdate extension to indicate the time that new certificate revocation status information will be made available. The BIG-IP system does not cache an OCSP response when the nextUpdate extension is missing.
Viewing the OCSP response cache
There is currently no command available for viewing the OCSP response cache. To view OCSP response errors associated with a specific virtual server, you can use the following command syntax:
tmsh show ltm virtual
For example, to view the OCSP response errors for the virtual server named example_ocsp_vip, use the following command: tmsh show ltm virtual example_ocsp_vip detail
Prerequisites
You must meet the following prerequisites to use this procedure:
You have a remote OCSP responder. You have access to the Configuration utility. You have a virtual server configured to process SSL traffic using a Client SSL profile. You have configured the network time Protocol (NTP) on the BIG-IP system and remote OCSP responder. The following service ports are accessible between the BIG-IP system and the OCSP responder: 53 (DNS) and 80 or 443 (OCSP). You have access to a Linux command line if testing is required.
Procedures
Importing the CA or OCSP responder signing certificate Configuring the OCSP Stapling profile Modifying the Client SSL profile Testing the OCSP configuration
Importing the CA or OCSP responder signing certificate
The client application and BIG-IP system must verify the authenticity of the OCSP responder's SSL certificate. Before configuring the OCSP responder and Client SSL profiles, obtain the Certificate Authority (CA) certificate used to sign the responder's SSL certificate. You can import the CA certificate by performing the following procedure:
Note: The SSL certificate file should include the BEGIN CERTIFICATE and END CERTIFICATE lines and contain no white space, extra line breaks, or additional characters.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
1. Log in to the Configuration utility. 2. Navigate to System > File Management > SSL Certificates List. 3. Click Import. 4. From the Import Type list, click Certificate. 5. For Certificate Name, click Create New and type a name for the certificate. 6. For Certificate Source, click Upload File and browse to the file on your computer, or click Paste Text and paste the source location into the box. 7. Click Import.
Configuring the OCSP Stapling profile
Prior to configuring the OCSP Stapling profile, you may need to contact the OCSP responder's administrator to ensure the OCSP options are correctly configured. To configure the OCSP stapling profile, perform the following procedure: Impact of procedure: Performing the following procedure should not have a negative impact on your system.
1. Log in to the Configuration utility. 2. Navigate to Local Traffic > Profiles > SSL > OCSP Stapling. 3. Click Create. 4. Configure the General Properties options, as appropriate for your purposes:
Basic view
Note: The options marked with an asterisk (*) are required.
*Name - Type a unique identifier or name for the OCSP profile. *Use Proxy Server - Select the check box if you intend to use servers that can proxy HTTP requests to an external server to fetch responses or leave this check box unselected if you intend to use a domain name in either the OCSP stapling profile's Responder URL option or in the secure website SSL certificate Authority Information Access (AIA) extension to fetch responses.
Note: You can configure a DNS resolver for the OCSP Responder's fully-qualified domain name (FQDN) in the Configuration utility under Network > DNS Resolvers.
*DNS Resolver/Proxy Server Pool - Depending on your selection for the previous setting, specify the appropriate DNS resolver or proxy server pool. *Trusted Certificate Authorities - Click the name of the CA certificate the system uses to sign the OCSP responder certificate, which you imported during the Importing the CA or OCSP responder signing certificate procedure. Trusted Responders - Click the name of the certificate the system uses for validating the OCSP response when the responder's certificate is omitted from the response.
Advanced view
The Advanced view options include those listed under Basic view and the following additional options:
Note: The options marked with an asterisk (*) are not required but may have a significant impact and may require additional tuning, depending on the OCSP responder implementation.
*Responder URL - Type the HTTP/HTTPs based URL the system uses to override the AIA extension configured in the OCSP responder's SSL/TLS certificate. By default, this box is empty. Signer Certificate - Click the name of the SSL certificate the system uses for signing the OCSP request. The default is None. Signer Key - Click the name of the SSL key the system uses for signing the OCSP request. The default is None. Signer Key Passphrase - Type the passphrase the system uses to protect the Signer SSL key. The default value is empty or no value. *Sign Hash - Click the name of the hash algorithm the system uses to sign an OCSP request. The default is SHA256. The OCSP responder may require you to sign requests using a specific SHA hashing algorithm. 4.
Timeout - Assign the time in seconds that the system waits for a reply from the OCSP responder before dropping the connection. The value should be less than the value set for the handshake timeout in the Client SSL profile referencing the OCSP stapling profile. The default is 8. *Clock Skew - Type the maximum allowable difference between the OCSP responder and the BIG-IP system, in seconds. The default value is 300. It is important that you configure NTP on both the OCSP responder and BIG-IP system to avoid time issues affecting OCSP responses. *Status Age - Type the allowed age of the OCSP response when the nextUpdate field is omitted from the response. The default value is 300. *Cache Timeout - Assign the lifetime option of the OCSP response in the cache, in seconds. The lower value between response validity period and the cache timeout will be used for caching the response. The default is Indefinite, indicating that the response validity period takes precedence Cache Error Timeout - Assign the lifetime of an error response in the cache, in seconds. The default value is 3600. Options - Select the Strict Responder Certificate Checking check box to enable the OCSP responder's SSL certificate for the OCSP signing extension id-kp-OCSPSigning. The default is disabled. 5. After you configure the settings, click Finished.
Modifying the Client SSL profile
You can enable OCSP stapling only on the Client SSL profile. To configure a Client SSL profile to use OCSP stapling, perform the following procedure:
Impact of procedure: Performing the following procedure enables OCSP verification by client applications when they present the TLS status_request extension during the SSL/TLS handshake.
1. Log in to the Configuration utility. 2. Navigate to Local Traffic > Profiles > SSL > Client. 3. For Certificate Key Chain, click the previously configured SSL certificate and key entry under the Add and Replace buttons. 4. From the Chain option, click the CA certificate the system uses to sign the OCSP responder certificate. You imported this during the Importing the CA or OCSP responder signing certificate procedure. 5. For OCSP Stapling Parameters, click the OCSP stapling profile you created in the Configuring the OCSP Stapling profile procedure. 6. Click Add. 7. Click Update.
Testing the OCSP configuration
You can use the openssl command from a Linux host to test the OCSP stapling after you complete configuration. If any issues arise that indicate OCSP stapling is not working, you can enable SSL debug logging to gather additional diagnostic information logged to the /var/log/ltm file. To test and troubleshoot the OCSP stapling configuration, perform the following procedure: Impact of procedure: Performing the following procedure should not have a negative impact on your system.
1. Log in to the command line of a Linux host. 2. Test the OCSP configuration using the following command syntax:
openssl s_client -connect
For example, to test OCSP stapling for a virtual server named example_ocsp_vip with IP address 192.168.10.100 using service port 443, type the following command:
openssl s_client -connect 192.168.10.100:443 -status
3. The command output should appear similar to the following example. Ensure the OCSP Reponse Status is successful and the Next Update extension is present:
CONNECTED(00000003) OCSP response: ======OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, ST = Wa, O = AskF5, OU = AskF5 CA, CN = ca.askf5.net Produced At: Feb 9 16:34:45 2016 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: EF11617B37AD95E216A8CB95F89222FC15EF74E1 Issuer Key Hash: A8AA1ED4F9F3A74BABFF8B8F73D604123BA0C292 Serial Number: 1005 Cert Status: good This Update: Feb 9 16:34:45 2016 GMT Next Update: Feb 9 16:36:45 2016 GMT
4. If the OCSP response status is not successful, you should gather additional diagnostic information by enabling SSL debug logging. To enable SSL debug logging, type the following command:
tmsh modify sys db log.ssl.level value debug
Important: If you enable SSL debug logging, ensure that you follow step 7 for disabling SSL debug logging once testing is complete.
5. When the Client SSL profile is missing or has the incorrect CA certificate selected in the Chain option, the system logs an error message to the /var/log/ltm file that appears similar to the following example:
crit tmm[12345]: 01260000:2: Profile /Common/example_ssl_profile: Could not retrieve the issuer. Not enabling OCSP Stapling.
6. 6. When the OCSP stapling profile is missing or has the incorrect CA certificate selected in the Trusted Certificate Authority option, the system logs an error message to the /var/log/ltm file that appears similar to the following example:
debug tmm[12345]: 01260024:7: OCSP failure on profile /Common/example_ssl_profile, certificate with issuer /C=US/ST=Wa/O=AskF5/OU=AskF5 CA/CN=ca.askf5.net and serial number 1005: Validation of the OCSP response returned error - failure in verifying the response with the CA /responder cert
7. After you complete troubleshooting, turn off SSL debug logging by typing the following command:
tmsh modify sys db log.ssl.level value warning
Supplemental Information
K3122: Using the BIG-IP Configuration utility to add an NTP server K13302: Configuring the BIG-IP system to use an SSL chain certificate (11.x - 13.x) K5532: Configuring the level of information logged for TMM-specific events K10209: Overview of packet tracing with the ssldump utility K411: Overview of packet tracing with the tcpdump utility K14358: Overview of Clustered Multiprocessing (11.3.0 and later)
Applies to:
Product: BIG-IP, BIG-IP LTM 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.1, 11.6.0