Bug ID 743758: Support dynamic CRL check for clientSSL profile

Last Modified: Sep 14, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Fixed In:
15.1.0

Opened: Sep 11, 2018

Severity: 3-Major

Symptoms

Although dynamic CRL checks for server SSL profile are supported in earlier releases, CRL checks for client SSL profiles are not. The operation fails if you try to assign a CRL validator object to a client SSL profile: tmsh modify ltm profile client-ssl cssl crl my_crl

Impact

Unable to dynamically verify the revocation status of the SSL certificate from the client side. Note: The static CRL file configuration still works. But without the (dynamic) CRL validator configuration, it cannot automatically fetch, check, and cache CRL files for certificates received.

Conditions

When trying to assign a CRL validator to a client SSL profile.

Workaround

You can partially work around this by developing scripts to keep changing the static CRL file configuration, for example: tmsh modify ltm profile client-ssl cssl crl-file /shared/xxx.crl

Fix Information

Now you can configure a CRL validator object for a client SSL profile. The object automatically fetches, checks, caches, updates, and manages the CRL files, based on the CRL URLs on the SSL certificates whenever a certificate is received, so you no longer need to download, manage, and change the CRL files yourself.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips