Last Modified: Oct 13, 2023
BIG-IP LTM, SSLO
Known Affected Versions:
16.0.0, 126.96.36.199, 16.0.1, 188.8.131.52, 184.108.40.206
Opened: Apr 04, 2020 Severity: 3-Major
For pure SSL Orchestrator as L2 wire, a server-side OCSP check may not work if the server does not support stapling. As there is no TMM route to send the OCSP request to OCSP responder, the OCSP check might fail.
As pure L2 wire mode does not support self IP addresses on virtual wire interfaces, the BIG-IP system is not able to route OCSP request to OCSP responder.
-- The BIG-IP system is used in pure L2 wire mode. -- The server SSL profile configured for the virtual server uses OCSP to check the status of server certificates. -- The server does not support OCSP stapling.
Configure a VLAN and self IP address on a new interface that is not in L2 wire mode. This self IP address will be used by TMM to make OCSP requests on the server-side to check server certificate status.