Skip to content
Menu
IT-DRAFTS
  • About
  • My Statistics at Microsoft Q&A
  • Privacy policy
IT-DRAFTS
May 13, 2025May 13, 2025

Work around the OCSP validation issue in Azure Application Gateway

1. First, verify connectivity to OCSP responder from Azure’s network:

bash
# Create a test VM in the same subnet as your App Gateway
az vm create --resource-group MyResourceGroup --name TestVM --image UbuntuLTS --vnet-name MyVNet --subnet MySubnet --admin-username azureuser

# SSH into the VM and test OCSP responder
openssl ocsp -issuer intermediate.crt -cert client.crt -url http://ocsp.yourca.com -text

2. Check current SSL policy settings:

bash
az network application-gateway ssl-policy show \
    --resource-group MyResourceGroup \
    --gateway-name MyAppGateway

3. Disable OCSP stapling (workaround):

bash
az network application-gateway ssl-policy set \
    --resource-group MyResourceGroup \
    --gateway-name MyAppGateway \
    --name AppGwSslPolicy \
    --disabled-ssl-protocols TLSv1_0 TLSv1_1 \
    --policy-type Custom \
    --cipher-suites 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' \
    --min-protocol-version TLSv1_2 \
    --no-ocsp-stapling

4. Enable verbose logging for troubleshooting:

bash
az monitor diagnostic-settings create \
    --resource /subscriptions/xxxx/resourceGroups/MyResourceGroup/providers/Microsoft.Network/applicationGateways/MyAppGateway \
    --name AppGWDiagnostics \
    --logs '[{"category":"ApplicationGatewayAccessLog","enabled":true},{"category":"ApplicationGatewayPerformanceLog","enabled":true},{"category":"ApplicationGatewayFirewallLog","enabled":true}]' \
    --workspace /subscriptions/xxxx/resourcegroups/MyResourceGroup/providers/microsoft.operationalinsights/workspaces/MyLogAnalytics

5. If needed, force CRL-based revocation instead:

bash
az network application-gateway http-settings update \
    --resource-group MyResourceGroup \
    --gateway-name MyAppGateway \
    --name myhttpsettings \
    --ssl-cert <cert-name> \
    --crl-enabled true

6. To check SSL handshake failures:

bash
az network application-gateway waf-config show \
    --resource-group MyResourceGroup \
    --gateway-name MyAppGateway

For the permanent fix, I recommend opening a support ticket with these details:

bash
az support tickets create \
    --title "OCSP Validation Failure in App Gateway" \
    --description "OCSP works externally but fails in App Gateway" \
    --severity minimal \
    --contact-email "rajeev@example.com" \
    --contact-phone "1234567890" \
    --contact-first-name "Rajeev" \
    --contact-last-name "G" \
    --subtype "Technical" \
    --problem-classification "/providers/Microsoft.Support/services/{serviceGUID}/problemClassifications/{problemClassificationGUID}"

 

RGDS,

Alex

Categories

ActiveDirectory AI AIInfrastructure Azure AzureAI azurepolicy azuresecurity cloudarchitecture cloudnetworking CloudSecurity Copilot ctrlaltdelblog Cybersecurity DataProtection DataSecurity DevOps devsecops Entra entraID GDPRcompliance Howto hybridcloud infosec Innovation Intune ITProblems licensing Microsoft Microsoft365 Microsoft AI MicrosoftAzure microsoftcloud Microsoft Product microsoftsecurity SecureAccess Security securitycopilot SoftwareUpdate sysadminlife TechNews updates Windows Windows10 Windows11 zeroTrust

Archives

  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025
  • February 2025
  • October 2024
  • September 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
No comments to show.

Recent Comments

Recent Posts

  • 🛡️ Secure Medallion Architecture on Azure Databricks Or How to Stop Treating Your Lakehouse Like a Flat Share
  • Monitoring Azure OpenAI Your Way — Without Tossing Out Your Observability Stack
  • How to Push Windows 11 25H2 Using Intune (Without Losing Your Sanity) + PowerShell Script
  • Goodbye SCOM Managed Instance: The End of an Era
  • Cybersecurity Tools: Expectation vs Reality
©2025 IT-DRAFTS | Powered by WordPress and Superb Themes!