Bug ID 1316481: Large CRL file update fails with memory allocation failure

Last Modified: Mar 01, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Opened: Jul 04, 2023

Severity: 3-Major

Symptoms

When updating a large CRL file in BIG-IP using tmsh, the file may be partially read due to internal memory allocation failure. Please note that the size of the CRL file causing this issue varies across hardware types, network bandwidth and usage, and system resources.

Impact

When large CRL file is attached to the profile which was partially read due to memory allocation failure, the profile gets successfully updated. Connections to VIP with this profile may have unexpected results. For e.g. client connecting to VIP with a revoked client certificate will succeed as the CRL was only partially read.

Conditions

1. Using tmsh, large CRL file is updated to an existing CRL. 2. This large CRL file is attached to multiple profiles. 3. The tmsh modify command is used multiple time in a short span of time that leads to the memory crunch.

Workaround

1. Dynamic CRL / CRLDP on client-ssl profile can be configured to dynamically verify SSL certificate revocation status. 2. OCSP can be enabled on client-ssl profile to validate SSL certificate revocation status.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips