Bug ID 623401: Intermittent OCSP request failures due to non-optimal default TCP profile setting

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
13.0.0, 12.1.2 HF1, 11.6.1 HF2

Opened: Oct 18, 2016

Severity: 3-Major

Symptoms

The connection between BIG-IP and OCSP responder is not reliable since it uses the default internal TCP configuration which doesn't fit the usage well.

Impact

The BIG-IP as a SSL server fails to staple the OCSP response to the SSL client. In other words, the certificate status messages are not added in the Server Hello message in the TLS handshakes to the SSL client.

Conditions

When the OCSP stapling option is enabled in the clientSSL profile that is in use by a virtual server.

Workaround

The fix proposed an optimal TCP configuration used by the connection between BIG-IP and OCSP responder which makes the connection reliable now. Therefore the virtual server can now always correctly staple the certificate status in the Server Hello message to the SSL client.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips