Bug ID 599048: BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Jun 14, 2016
Severity: 3-Major

Symptoms

As part of the OCSP Stapling feature, the BIG-IP periodically connects to an OCSP server to certify to its clients that an SSL certificate has not been revoked. It was discovered that these side connections to OCSP servers incorrectly do not use the TCP TIMESTAMPS option.

Impact

Usage of the TCP TIMESTAMPS option can help reduce the time a previously used tuple remains in TIME_WAIT on the OCSP server. Therefore, this can help ensure a new connection from the BIG-IP system to the OCSP server re-using a recent tuple is not rejected by the OCSP server. Note that there is little impact even if sporadically a single connection to the OCSP server fails. The BIG-IP will quickly try again, and clients that receive non-stapled SSL SERVER HELLO messages can perform their own validation of the returned SSL certificate.

Conditions

Use of the OCSP Stapling feature.

Workaround

None

Fix Information

None

Behavior Change