Bug ID 1009921: 'SSL::verify_result' iRule command may return incorrect value when combined with dynamic CRL check

Last Modified: Jul 23, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0

Opened: Apr 08, 2021
Severity: 3-Major

Symptoms

'SSL::verify_result' iRule command may return '0' (validation check success) even if the client certificate has already been revoked. The expected return value on a revoked certificate is '23' (certificate revoked).

Impact

The iRule 'SSL::verify_result' command may return unexpected values. Traffic can be unexpectedly load-balanced to the backend pool member when the end user client requests the virtual server with the revoked certificate.

Conditions

-- Dynamic CRL check is configured on the client SSL profile. -- An iRule checks client certificate validity by 'SSL::verify_result' command. Here is example. when HTTP_REQUEST { set cert [SSL::cert 0] set cert_string [X509::verify_cert_error_string [SSL::verify_result]] set code [SSL::verify_result] if { [SSL::verify_result] == 0 }{ log local0. "success $cert_string $code" return } else { log local0. "failed $cert_string $code" HTTP::respond 403 content "<html>Invalid client certificate:</html>\n" } } Note: SSL::cert command is in fact the trigger for the behavior as it causes a rebuild of the certificate chain and fetches the status from the cache, which is 0. The reason it is 0 in the cache is that, when dynamic CRLs are used, the system verifies the cert, receives a code 23 (revoked), but the system does not update the SSL session cache with the result.

Workaround

You can use any of the following workarounds: -- Remove the SSL::cert command from the iRule (it is not needed in HTTP_REQUEST since the system still has the verify result in runtime code). -- Set cache-size 0 (zero) on client SSL profiles: # tmsh modify ltm profile client-ssl [client-ssl profile name] cache-size 0 -- Use authentication frequency 'always' on client SSL profiles: # tmsh modify ltm profile client-ssl [client-ssl profile name] authenticate always

Fix Information

None

Behavior Change