Last Modified: Nov 07, 2022
Affected Product:
See more info
BIG-IP LTM
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4
Opened: Mar 04, 2016
Severity: 4-Minor
OCSP Stapling uses either DNS resolver OR proxy server pool to connect to the OCSP responder. In GUI these two configuration options are selective but tmsh allows configuration of proxy-server-pool when use_proxy_server is set to false, and vice-versa.
In following situation: -use_proxy_server: Enabled but incorrectly configured or external proxy server not working or down. -DNS resolver: Enabled and correctly configured. OCSP stapling will not work since device will try to connect to OCSP responder by using proxy regardless DNS resolver configuration. Since this 'double' configuration (DNS+use_proxy_server) only can be done by tmsh, you cannot see in GUI that you actually have both configurations at the same time.
DNS resolver and use_proxy_server are configured at the same time, but only one of these configurations is set to true.
Disable use_proxy_server configuration using tmsh, then device will use DNS resolver to reach OCSP responder.
None
