Bug ID 743758: Support dynamic CRL check for clientSSL profile

Last Modified: Sep 14, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,, 15.0.0, 15.0.1,,,,

Fixed In:

Opened: Sep 11, 2018

Severity: 3-Major


Although dynamic CRL checks for server SSL profile are supported in earlier releases, CRL checks for client SSL profiles are not. The operation fails if you try to assign a CRL validator object to a client SSL profile: tmsh modify ltm profile client-ssl cssl crl my_crl


Unable to dynamically verify the revocation status of the SSL certificate from the client side. Note: The static CRL file configuration still works. But without the (dynamic) CRL validator configuration, it cannot automatically fetch, check, and cache CRL files for certificates received.


When trying to assign a CRL validator to a client SSL profile.


You can partially work around this by developing scripts to keep changing the static CRL file configuration, for example: tmsh modify ltm profile client-ssl cssl crl-file /shared/xxx.crl

Fix Information

Now you can configure a CRL validator object for a client SSL profile. The object automatically fetches, checks, caches, updates, and manages the CRL files, based on the CRL URLs on the SSL certificates whenever a certificate is received, so you no longer need to download, manage, and change the CRL files yourself.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips