Bug ID 1009921: 'SSL::verify_result' iRule command may return incorrect value when combined with dynamic CRL check

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,,,, 16.0.0,, 16.0.1,,, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,,,, 16.1.4,,,, 17.0.0,,

Opened: Apr 08, 2021

Severity: 3-Major


'SSL::verify_result' iRule command may return '0' (validation check success) even if the client certificate has already been revoked. The expected return value on a revoked certificate is '23' (certificate revoked).


The iRule 'SSL::verify_result' command may return unexpected values. Traffic can be unexpectedly load-balanced to the backend pool member when the end user client requests the virtual server with the revoked certificate.


-- Dynamic CRL check is configured on the client SSL profile. -- An iRule checks client certificate validity by 'SSL::verify_result' command. Here is example. when HTTP_REQUEST { set cert [SSL::cert 0] set cert_string [X509::verify_cert_error_string [SSL::verify_result]] set code [SSL::verify_result] if { [SSL::verify_result] == 0 }{ log local0. "success $cert_string $code" return } else { log local0. "failed $cert_string $code" HTTP::respond 403 content "<html>Invalid client certificate:</html>\n" } } Note: SSL::cert command is in fact the trigger for the behavior as it causes a rebuild of the certificate chain and fetches the status from the cache, which is 0. The reason it is 0 in the cache is that, when dynamic CRLs are used, the system verifies the cert, receives a code 23 (revoked), but the system does not update the SSL session cache with the result.


You can use any of the following workarounds: -- Remove the SSL::cert command from the iRule (it is not needed in HTTP_REQUEST since the system still has the verify result in runtime code). -- Set cache-size 0 (zero) on client SSL profiles: # tmsh modify ltm profile client-ssl [client-ssl profile name] cache-size 0 -- Use authentication frequency 'always' on client SSL profiles: # tmsh modify ltm profile client-ssl [client-ssl profile name] authenticate always

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips