Last Modified: Mar 01, 2024
Opened: Jul 04, 2023 Severity: 3-Major
When updating a large CRL file in BIG-IP using tmsh, the file may be partially read due to internal memory allocation failure. Please note that the size of the CRL file causing this issue varies across hardware types, network bandwidth and usage, and system resources.
When large CRL file is attached to the profile which was partially read due to memory allocation failure, the profile gets successfully updated. Connections to VIP with this profile may have unexpected results. For e.g. client connecting to VIP with a revoked client certificate will succeed as the CRL was only partially read.
1. Using tmsh, large CRL file is updated to an existing CRL. 2. This large CRL file is attached to multiple profiles. 3. The tmsh modify command is used multiple time in a short span of time that leads to the memory crunch.
1. Dynamic CRL / CRLDP on client-ssl profile can be configured to dynamically verify SSL certificate revocation status. 2. OCSP can be enabled on client-ssl profile to validate SSL certificate revocation status.