Bug ID 487592: Change in the caching duration of OCSP response when there is an error

Last Modified: Dec 15, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP None(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5

Opened: Oct 29, 2014
Severity: 3-Major
Related AskF5 Article:
K65442255

Symptoms

Some of the OCSP responses that indicate an error (such as 'unauthorized' response from the responder) are cached indefinitely.

Impact

Responses are cached indefinitely.

Conditions

Some of the OCSP responses that indicate an error (such as 'unauthorized' response from the responder).

Workaround

The response can be deleted from the cache so as to obtain a new response. The new response will be cached based on whether it is valid, and whether the responder indicates an error.

Fix Information

Except when the responder sends a certificate-status 'revoked', or a response status 'signature required', the response is cached for the duration given by the 'cache-error-timeout' field.

Behavior Change