Bug ID 965537: SSL filter does not re-initialize when OCSP validator is modified

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
14.1.3, 14.1.2.8

Fixed In:
14.1.4

Opened: Nov 18, 2020

Severity: 3-Major

Symptoms

The client SSL or server SSL profile can specify an OCSP object for client or server certificate status validation. After modifying the DNS resolver of the OCSP object, the new nameserver is never picked up. In other words, an incorrect OCSP responder will be contacted.

Impact

The incorrect (or the original) OCSP responder is contacted to get the peer certificate revocation status.

Conditions

OCSP object is configured in Client Certificate Constrained Delegation (C3D) client SSL or in server SSL and is later modified.

Workaround

None

Fix Information

When an OCSP validator is modified, the system now reloads the SSL profile to pick up the new DNS resolver.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips