Last Modified: Sep 14, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6
Opened: Apr 13, 2015 Severity: 3-Major Related Article:
K16803
When the BIG-IP system is configured for OCSP authentication, if the OCSP server reports that a certificate has been revoked, client connections are reset without sending SSL error alerts.
Client connections are reset without sending SSL error alerts.
BIG-IP system configured for OCSP authentication.
Use the following iRule for the OSCP authentication profile instead of the system-supplied iRule: when CLIENT_ACCEPTED { set tmm_auth_ssl_ocsp_sid 0 set tmm_auth_ssl_ocsp_done 0 } when CLIENTSSL_CLIENTCERT { if {[SSL::cert count] == 0} { return } set ssl_version [SSL::cipher version] set tmm_auth_ssl_ocsp_done 0 if {$tmm_auth_ssl_ocsp_sid == 0} { set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp] AUTH::subscribe $tmm_auth_ssl_ocsp_sid } AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0] AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0] AUTH::authenticate $tmm_auth_ssl_ocsp_sid SSL::handshake hold } when CLIENTSSL_HANDSHAKE { set tmm_auth_ssl_ocsp_done 1 } when AUTH_RESULT { if {[info exists tmm_auth_ssl_ocsp_sid] && ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} { set tmm_auth_status [AUTH::status] array set tmm_auth_response_data [AUTH::response_data] if {$tmm_auth_status == 0} { set tmm_auth_ssl_ocsp_done 1 SSL::handshake resume } elseif {($tmm_auth_status == 1) && ($tmm_auth_response_data(ocsp:response:status) eq "revoked")} { if { $ssl_version equals "TLSv1.2" } { set hex_version "0303" } elseif { $ssl_version equals "TLSv1.1" } { set hex_version "0302" } elseif { $ssl_version equals "TLSv1.0" } { set hex_version "0301" } else { reject } set hex_response "15${hex_version}0002022C" set bin_response [binary format H* $hex_response] TCP::respond "$bin_response" TCP::close } elseif {($tmm_auth_status != -1) || ($tmm_auth_ssl_ocsp_done == 0)} { reject } } }
None