Bug ID 530109: OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1

Fixed In:
13.0.0, 12.1.2, 11.6.1 HF2, 11.5.4 HF3

Opened: Jun 26, 2015

Severity: 3-Major

Related Article: K61951580

Symptoms

OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.

Impact

OCSP auth might fail as wrong URL is used.

Conditions

-- User certificate has AIA configured. -- Option 'Ignore AIA' is unchecked. -- APM is configured.

Workaround

1. Clean URL field. 2. Uncheck option 'Ignore AIA'.

Fix Information

If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. This is correct behavior.

Behavior Change

If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. To use the configured URL, the 'Ignore AIA' setting has to be checked.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips