Bug ID 487592: Change in the caching duration of OCSP response when there is an error

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP None(all modules)

Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0, 11.6.0 HF5

Opened: Oct 29, 2014

Severity: 3-Major

Related Article: K65442255

Symptoms

Some of the OCSP responses that indicate an error (such as 'unauthorized' response from the responder) are cached indefinitely.

Impact

Responses are cached indefinitely.

Conditions

Some of the OCSP responses that indicate an error (such as 'unauthorized' response from the responder).

Workaround

The response can be deleted from the cache so as to obtain a new response. The new response will be cached based on whether it is valid, and whether the responder indicates an error.

Fix Information

Except when the responder sends a certificate-status 'revoked', or a response status 'signature required', the response is cached for the duration given by the 'cache-error-timeout' field.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips