Hello,

How to enable SNI support in WebSEAL 9.0 for OCSP?

------------------------------
Igor Vinogradov
------------------------------

Hi Igor,

I don't understand the question - What is the connection between SNI and OCSP here?  Can you provide a little more information on what you're trying to do and what isn't working?

Thanks... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu August 26, 2021 01:41 PM
From: Igor Vinogradov
Subject: OCSP and SNI

Hello,

How to enable SNI support in WebSEAL 9.0 for OCSP?

------------------------------
Igor Vinogradov
------------------------------

Hi Jon, 

We have configured WebSEAL to check revoked certificates using OCSP service.
The service for checking OCSP certificates is deployed on OpenShift with support for SNI.
When WebSEAL accesses the OCSP service, it does not use SNI and the request does not reach the OCSP service.

------------------------------
Igor Vinogradov
------------------------------

Original Message:
Sent: Fri August 27, 2021 07:56 AM
From: Jon Harry
Subject: OCSP and SNI

Hi Igor,

I don't understand the question - What is the connection between SNI and OCSP here?  Can you provide a little more information on what you're trying to do and what isn't working?

Thanks... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu August 26, 2021 01:41 PM
From: Igor Vinogradov
Subject: OCSP and SNI

Hello,

How to enable SNI support in WebSEAL 9.0 for OCSP?

------------------------------
Igor Vinogradov
------------------------------

Hi Igor,

Usually OCSP checks are done over non-secure channel.  I don't think that WebSEAL supports OCSP over TLS (HTTPS) connection (I could be wrong... someone else will have to comment on that).  Most OCSP responders listen on HTTP and not HTTPS.

In HTTP connection there is no SNI. The ingress would most likely route your request based on the host header in the HTTP request.  I would expect WebSEAL to set that based on the host you give for your OCSP server.

Have you tried setting up your OCSP over HTTP instead of HTTPS?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Fri August 27, 2021 08:32 AM
From: Igor Vinogradov
Subject: OCSP and SNI

Hi Jon, 

We have configured WebSEAL to check revoked certificates using OCSP service.
The service for checking OCSP certificates is deployed on OpenShift with support for SNI.
When WebSEAL accesses the OCSP service, it does not use SNI and the request does not reach the OCSP service.

------------------------------
Igor Vinogradov

Original Message:
Sent: Fri August 27, 2021 07:56 AM
From: Jon Harry
Subject: OCSP and SNI

Hi Igor,

I don't understand the question - What is the connection between SNI and OCSP here?  Can you provide a little more information on what you're trying to do and what isn't working?

Thanks... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu August 26, 2021 01:41 PM
From: Igor Vinogradov
Subject: OCSP and SNI

Hello,

How to enable SNI support in WebSEAL 9.0 for OCSP?

------------------------------
Igor Vinogradov
------------------------------