Last Modified: Dec 18, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 17.0.0, 17.0.0.1, 17.0.0.2
Opened: Apr 08, 2021 Severity: 3-Major
'SSL::verify_result' iRule command may return '0' (validation check success) even if the client certificate has already been revoked. The expected return value on a revoked certificate is '23' (certificate revoked).
The iRule 'SSL::verify_result' command may return unexpected values. Traffic can be unexpectedly load-balanced to the backend pool member when the end user client requests the virtual server with the revoked certificate.
-- Dynamic CRL check is configured on the client SSL profile. -- An iRule checks client certificate validity by 'SSL::verify_result' command. Here is example. when HTTP_REQUEST { set cert [SSL::cert 0] set cert_string [X509::verify_cert_error_string [SSL::verify_result]] set code [SSL::verify_result] if { [SSL::verify_result] == 0 }{ log local0. "success $cert_string $code" return } else { log local0. "failed $cert_string $code" HTTP::respond 403 content "<html>Invalid client certificate:</html>\n" } } Note: SSL::cert command is in fact the trigger for the behavior as it causes a rebuild of the certificate chain and fetches the status from the cache, which is 0. The reason it is 0 in the cache is that, when dynamic CRLs are used, the system verifies the cert, receives a code 23 (revoked), but the system does not update the SSL session cache with the result.
You can use any of the following workarounds: -- Remove the SSL::cert command from the iRule (it is not needed in HTTP_REQUEST since the system still has the verify result in runtime code). -- Set cache-size 0 (zero) on client SSL profiles: # tmsh modify ltm profile client-ssl [client-ssl profile name] cache-size 0 -- Use authentication frequency 'always' on client SSL profiles: # tmsh modify ltm profile client-ssl [client-ssl profile name] authenticate always
None