Bypass OCSP for certain hosts

Hi all,

 

 

Disclaimer: An F5 novice throwing up a Hail Mary.

 

 

I have a client certificate used by an external entity - over which I have no control - that will not pass an OCSP validation. I need to force that certificate to be accepted by some "authentication profile" so it can be used to set up the two-way ssl session and thus be passed inside for further use by the app server - another asset I do not have access to.

 

 

I can't bypass authentication completely because the client certificate is needed for authorization purposes later. I can't send the cert in separately via an HTTP Header because I have no control over the app server.

 

 

The "authentication profile" in use is an OCSP Responder and is also the only means I have to authenticate. This is no other LDAP server or Radius server.

 

 

Is there a way to see that the cert is coming from a certain IP, force-accept it and continue with my handshake. I guess I'm looking for another option in the available authentication profile types - maybe a local cert store or local [ldap] repo of user creds - or just a way to cheat the code into thinking that the AUTH::authenticate call actually happened and returned successfully...

 

 

I would LOVE to simply get the external entity to use a valid cert...such is life. I realize that this could quite possibly be a horrible question not worth answering an I apologize for that in advance. I do hope you consider responding.

 

 

Thanks all.