Forum Discussion
CRL or OSCP in SSLO
Hi
Can someone explain to me if and how SSLO does CRL checks? I assume that it should automatically perform these certificate revocation checks on behalf of the client since it proxies the client's connection. Other proxy servers are explicit and clear on what they do and how they do this, but I've struggled to find concise information on how it works on SSLO.
I see CRL and OSCP check boxes that can be configured in SSL configuration in SSLO GUI, but I struggle to understand how this will work since each public webserver indicates its OCSP responder or CRL DP.
Any help on how SSLO does certificate revocation checks, or if it has to be manually configured, will be appreciated.
- MaximeANimbostratus
Hello Elemzy,
I hope I'm not out of line. I had seen in the link below https://clouddocs.f5.com/training/community/sslviz/html/archive3/module1/lab05.html a brief explanation of the CRL and OSCP options in the SSL Configurations.
Best Regards,
Maxime AUDRAIN - elemzyAltostratus
Thanks, Kevin,
Configured OCSP as described but it doesn't work with my test site "revoked[.]badssl[.]com". Still waiting for F5 support to help figure out why.
- Kevin_StewartEmployee
revoked.badssl.com probably isn't a good test. Server side OCSP will attempt to perform one of two functions:
- An OCSP stapling request, in which the BIG-IP sends a status_request message in the TLS handshake and expects to receive an OCSP stapled response.
- If the above doesn't work, the BIG-IP will attempt to read the AIA field from the server cert and do a direct OCSP request.
revoked.badssl.com neither participates in OCSP stapling nor contains an AIA field. A better option would be revoked.grc.com. You can see the cert attributes like this:
echo | openssl s_client -connect revoked.badssl.com:443 -showcerts 2>&1 |sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -noout -text echo | openssl s_client -connect revoked.grc.com:443 -showcerts 2>&1 |sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -noout -text
- elemzyAltostratus
Hi Kevin,
I see the difference between both sites on the F5, but I did find an AIA field in the revoked.badssl.com certificate in both firefox and edge.
I also got a response from F5 support, and I was asked to change the "Trusted Responders" field to none. SSL started blocking revoked.badssl.com after this change, and I got the following in my log "Certificate with subject name (/CN=revoked.badssl.com) and serial number (0X0D2E67A298853B9A5452E3A285A4572F) is revoked"
I asked for the rationale behind this change, but I've not gotten a response.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com