Bug ID 911777: BIG-IP SSL forward proxy might drop connection to servers with revoked certificate status.

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP LTM, SSLO(all modules)

Known Affected Versions:
16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2

Fixed In:
16.1.0

Opened: May 26, 2020

Severity: 3-Major

Symptoms

If the server certificate status is revoked, SSL forward proxy configured with a new server SSL profile might drop the connection.

Impact

BIG-IP client connections are reset.

Conditions

-- New SSL forward proxy server SSL profile is attached to the virtual server. -- Revoked-cert-status-response-control is set to the default value (drop). -- Certificate status service (e.g., CRL/OCSP) is configured on the server SSL profile.

Workaround

Change revoked-cert-status-response-control to ignore on the server SSL profile.

Fix Information

If ssl-forward-proxy is enabled for new server SSL profiles, and revoked-cert-status-response-control is not specified, it will automatically be set to ignore. Client connection go through and the client will see a forged revoked certificate status.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips

Have a question?

About F5

Education

F5 sites

Support Tasks

© F5, Inc. All rights reserved. Policies | Privacy | Trademarks