Forum Discussion
CRL or OSCP in SSLO
revoked.badssl.com probably isn't a good test. Server side OCSP will attempt to perform one of two functions:
- An OCSP stapling request, in which the BIG-IP sends a status_request message in the TLS handshake and expects to receive an OCSP stapled response.
- If the above doesn't work, the BIG-IP will attempt to read the AIA field from the server cert and do a direct OCSP request.
revoked.badssl.com neither participates in OCSP stapling nor contains an AIA field. A better option would be revoked.grc.com. You can see the cert attributes like this:
echo | openssl s_client -connect revoked.badssl.com:443 -showcerts 2>&1 |sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -noout -text
echo | openssl s_client -connect revoked.grc.com:443 -showcerts 2>&1 |sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -noout -text
Hi Kevin,
I see the difference between both sites on the F5, but I did find an AIA field in the revoked.badssl.com certificate in both firefox and edge.
I also got a response from F5 support, and I was asked to change the "Trusted Responders" field to none. SSL started blocking revoked.badssl.com after this change, and I got the following in my log "Certificate with subject name (/CN=revoked.badssl.com) and serial number (0X0D2E67A298853B9A5452E3A285A4572F) is revoked"
I asked for the rationale behind this change, but I've not gotten a response.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com