Last Modified: Feb 03, 2026
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6
Fixed In:
21.0.0.1, 17.5.1.4, 17.1.3.1
Opened: Mar 19, 2019 Severity: 4-Minor
As per the Digicert documentation, the OCSP/CRL connections require either HTTP1.1 or HTTP1.0 with host header. (Digicert). LTM uses HTTP1.1 without the host header in OCSP responder request
OCSP in the current BIG-IP relies on OpenSSL for its operations and current version of OpenSSL that is available in BIG-IP is 1.0.2za OpenSSL 1.0.2 is only capable of generating HTTP/1.0 requests for OCSP and CRL fetches; it does not support HTTP/1.1. This limitation prevents clients from communicating with OCSP/CRL endpoints that require HTTP/1.1, resulting in failures for revocation checks in environments where modern protocols are mandated.
OCSP and CRL Authentication uses HTTP1.0 for OCSP responder requests
Add either of these iRules to the Virtual Server Modify HTTP 1.0 to HTTP1.1 when HTTP_REQUEST { HTTP::version "1.1" } Add Host header when HTTP_REQUEST { HTTP::host "[HTTP::host]” }
Support for HTTP1.1 is added. The OCSP requests for auth should now use HTTP1.1 version