For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Luke_Lehman's avatar
Luke_Lehman
Icon for Employee rankEmployee
Nov 09, 2012

Client Certs, CRL & OCSP

Hey All,

 

Running 10.2.1.

 

We are currently using a CRL based approach for client cert authentication. We are downloading multiple CRLs from different vendors and then combining them into one "combo CRL" (simple concatenation).

 

For multiple reasons, we are attempting to upgrade to 10.2.4. However, we have found that the LTM no longer supports combined CRLs. Have others ran into the same problem?

 

The reason we used this approach is so that multiple business partners could consume the same webservice and use client certs from different CAs.

 

After finding out that that LTM doesn't support combo CRLs, we are left with a couple options:

 

  1. Require all business partners to use the same CA (still might not work as CRL URLs may still not match)
  2. Be forced to create a new VIP (SSL Profile) for each different business partner
  3. Utilize OCSP

In looking at the utilization of OCSP, it seems that comes with some caveats as well. Such as:

 

  1. LTMs currently do not Internet access
  2. CRL URLs would have to be looked up for DNS (DNS not currently enabled on LTM on purpose)
  3. We don't currently have an internal OCSP setup, and not sure if I can get our security folks on board with setting one up

Essentially, I'm wondering if others have run into similar things and which direction they chose to pursue.

 

If possible, I'd like to see if we can use the same webservice, VIP & SSL profile (although it wouldn't break my heart to have to create multiple) - but is it realistic to think that Vendors could request a client cert with the same CRL URL?

 

As always - thanks to the great community...

 

config
design

1 Reply

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 09, 2012
    However, we have found that the LTM no longer supports combined CRLs.

     

     

    I'm not sure that's correct. You should definitely be able to import multiple PEM-based CRLs into a single CRL object. I'd have to look at the release notes for the 10.2.4 HFs, but it absolutely works in v11.

     

     

    With multiple CAs, I ultimately believe your best bet is a local OCSP resource. It's the most scalable and resilient option, and you can simply use Win2008 OCSP services (free). Better yet, if you point your OCSP responder configuration at another BIG-IP VIP, you can load balance and monitor multiple responders for increased HA and scale.