Bug ID 530109: OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
13.0.0, 12.1.2, 11.6.1 HF2, 11.5.4 HF3

Opened: Jun 26, 2015
Severity: 3-Major
Related AskF5 Article:
K61951580

Symptoms

OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.

Impact

OCSP auth might fail as wrong URL is used.

Conditions

-- User certificate has AIA configured. -- Option 'Ignore AIA' is unchecked. -- APM is configured.

Workaround

1. Clean URL field. 2. Uncheck option 'Ignore AIA'.

Fix Information

If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. This is correct behavior.

Behavior Change

If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. To use the configured URL, the 'Ignore AIA' setting has to be checked.