Bug ID 787433: SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2

Fixed In:
15.1.0, 14.1.2.1

Opened: May 28, 2019

Severity: 3-Major

Symptoms

When stapling the OCSP response (and hence OCSP certificate) to the SSL client, the issuer that appears on the OCSP certificate mismatches with what is configured in the client SSL profile as the forward proxy CA cert.

Impact

In SSLO or SSL forward proxy mode, the server cert and the OCSP response the BIG-IP system sends to the SSL client should be both signed (issued) by the forward proxy CA cert configured at the client SSL profile. If they are signed by different issuers, it may not pass some of the validation check performed by the SSL client and might lead to SSL client's terminating the SSL handshake.

Conditions

The issue is seen when all the below conditions are met. -- The BIG-IP system is using SSLO or SSL forward proxy. -- The client hello sent from the SSL client includes the status request extension. This means that it requests BIG-IP system to staple the OCSP response. -- The forward proxy CA cert in the client SSL profile is modified.

Workaround

To updates and regenerates the OCSP signer information, after modifying the forward proxy CA cert, run the command: bigstart restart tmm

Fix Information

The issuer appearing on the OCSP response always matches the forward proxy CA cert configured at the client SSL profile.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips