Last Modified: Jun 19, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2
Opened: Oct 07, 2024 Severity: 3-Major
A connection is not reset even if allow-expired-crl is set to disabled.
Client certificates are verified against an expired CRL which could result in incorrect authentication success or failure based on that expired CRL file returned from CRLDP.
1. An expired CRL is returned from CRLDP 2. allow-expired-crl is set to disabled: (allow-expired-crl disabled by default) 3. The client ssl-profile does not have the expired crl: ltm auth ssl-crldp /Common/CRLDP { cache-timeout 10 servers { /Common/CRLDP_server } use-issuer enabled <----!!!!!!!!! } ltm profile client-ssl /Common/clientssl_auth { app-service none authenticate always ca-file /Common/ca-chain_CRLDP_00694847 cert-key-chain { Intermediate_20200329_CA_20200329_0 { cert /Common/Intermediate_20200329 chain /Common/CA_20200329 key /Common/Intermediate_20200329 } } client-cert-ca /Common/ca-chain_CRLDP_00694847 <-----------!!!!!!! crl none defaults-from /Common/clientssl inherit-ca-certkeychain true inherit-certkeychain false peer-cert-mode require }
None
None