Bug ID 1037257: SSL::verify_result showing wrong output for revoked cert during Dynamic CRL check

Last Modified: Apr 24, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3

Fixed In:
17.1.1, 15.1.10

Opened: Jul 29, 2021

Severity: 3-Major

Symptoms

In logs the result of Dynamic CRL validation using SSL::verify_result is appearing as 0, which is not correct.

Impact

Incorrect information that certification validation is successful for a revoked certificate is logged.

Conditions

1. Use Dynamic CRL 2. Use a REVOKED certificate

Workaround

Static CRL method of certificate validation can be used.

Fix Information

iRule was configured to get certificate validation result. But it was getting called before validation. So with fix iRule deferred till validation result is available.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips