Last Modified: Dec 18, 2024
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1
Opened: Nov 25, 2021 Severity: 3-Major
Bundled SSL certifcates fail to validate with an OCSP responder, and they are marked invalid in the GUI and tmsh.
Client SSL traffic may become disrupted if the affected certificates are used to process it.
1. One or more bundled certificates (containing intermediate certificates in addition to the subject one) are stored on the BIG-IP. 2. The certificates are configured for monitoring over OCSP. 2. The OCSP stapling parameter "Trusted Responders" is set to 'none'.
1. Do not use OCSP status monitoring on subject certificates. OR 2. Do not use bundled certificates. OR 3. Set the Trusted Responders OCSP stapling parameter to the certificate of the OCSP responder used by the certificates.
None