Bug ID 578097: Enabling DNS resolver and proxy server pool at the same time by tmsh in OCSP Stapling Parameters (for clientSSL OCSP Stapling) might cause OCSP responder not reached

Last Modified: Oct 17, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Opened: Mar 04, 2016

Severity: 4-Minor

Symptoms

OCSP Stapling uses either DNS resolver OR proxy server pool to connect to the OCSP responder. In GUI these two configuration options are selective but tmsh allows configuration of proxy-server-pool when use_proxy_server is set to false, and vice-versa.

Impact

In following situation: -use_proxy_server: Enabled but incorrectly configured or external proxy server not working or down. -DNS resolver: Enabled and correctly configured. OCSP stapling will not work since device will try to connect to OCSP responder by using proxy regardless DNS resolver configuration. Since this 'double' configuration (DNS+use_proxy_server) only can be done by tmsh, you cannot see in GUI that you actually have both configurations at the same time.

Conditions

DNS resolver and use_proxy_server are configured at the same time, but only one of these configurations is set to true.

Workaround

Disable use_proxy_server configuration using tmsh, then device will use DNS resolver to reach OCSP responder.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips