Last Modified: Sep 13, 2023
Known Affected Versions:
188.8.131.52, 15.1.1, 15.1.2, 184.108.40.206, 15.1.3, 220.127.116.11, 15.1.4, 18.104.22.168, 15.1.5, 22.214.171.124, 15.1.6
17.0.0, 126.96.36.199, 188.8.131.52
Opened: Sep 12, 2020 Severity: 2-Critical
In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used. The SSL handshake successfully completed even though the client certificate is revoked.
The handshake should fail but complete successfully
-- Dynamic CRL checking enabled on a client-ssl profile -- The client-side SSL handshake uses TLS1.3.
The issue was due to Dynamic CRL revocation check has not been integrated to TLS 1.3. After the Dynamic CRL checking is integrated to TLS 1.3, the TLS handshake will work as expected.