Bug ID 1064257: Bundled SSL certificates may not get revalidated successfully over OCSP after stapling parameters have been modified.

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3

Opened: Nov 25, 2021
Severity: 3-Major

Symptoms

Bundled SSL certifcates fail to validate with an OCSP responder, and they are marked invalid in the GUI and tmsh.

Impact

Client SSL traffic may become disrupted if the affected certificates are used to process it.

Conditions

1. One or more bundled certificates (containing intermediate certificates in addition to the subject one) are stored on the BIG-IP. 2. The certificates are configured for monitoring over OCSP. 2. The OCSP stapling parameter "Trusted Responders" is set to 'none'.

Workaround

1. Do not use OCSP status monitoring on subject certificates. OR 2. Do not use bundled certificates. OR 3. Set the Trusted Responders OCSP stapling parameter to the certificate of the OCSP responder used by the certificates.

Fix Information

None

Behavior Change