Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

elemzy's avatar
elemzy
Icon for Altostratus rankAltostratus
Sep 19, 2022

CRL or OSCP in SSLO

Hi  Can someone explain to me if and how SSLO does CRL checks? I assume that it should automatically perform these certificate revocation checks on behalf of the client since it proxies the client's...
elemzy's avatar
elemzy
Icon for Altostratus rankAltostratus
Sep 26, 2022

Thanks, Kevin,

Configured OCSP as described but it doesn't work with my test site "revoked[.]badssl[.]com". Still waiting for F5 support to help figure out why.

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 29, 2022

revoked.badssl.com probably isn't a good test. Server side OCSP will attempt to perform one of two functions:

  • An OCSP stapling request, in which the BIG-IP sends a status_request message in the TLS handshake and expects to receive an OCSP stapled response. 
  • If the above doesn't work, the BIG-IP will attempt to read the AIA field from the server cert and do a direct OCSP request.

revoked.badssl.com neither participates in OCSP stapling nor contains an AIA field. A better option would be revoked.grc.com. You can see the cert attributes like this:

echo | openssl s_client -connect revoked.badssl.com:443 -showcerts 2>&1 |sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -noout -text

echo | openssl s_client -connect revoked.grc.com:443 -showcerts 2>&1 |sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -noout -text