Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.2.1, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2
Fixed In:
13.0.0, 12.1.2 HF1
Opened: Sep 30, 2016 Severity: 3-Major
If there are multiple CAs in the CA bundle and issuing CA is not first in it, the OCSP responder returns "unauthorized" response.
OSCP check in machine cert will fail and user won't be able to follow successful branch in Access Policy. This might result in Authentication failure even though the machine cert is valid.
This can only happen when issuing CA is not first in the CA file.
Use iRule Event and variable Assign agent in between Machine Cert and OCSP Auth agent. Follow these steps: iRule: 1) Loop through the CA bundle until you find matching issuer cert 2) Set this new issuer cert to "session.check_machinecert.last.cert.issuer.cert" Variable Assign: 3) Read this issuer cert from the session db and assign it back to the same session variable: session.check_machinecert.last.cert.issuer.cert = expr { [mcget -nocache {session.check_machinecert.last.cert.issuer.cert}] }
Issuer cert is now looked up and set properly from the CA bundle. So there is no longer any failure response from OCSP responder.