CRL Validator
From v15.1 onwards client SSL profiles support CRL validator objects as per this bug report:
I have no experience of CRL Validator. I have just started to read about it, but I haven't found much info and would appreciate input from those who already have experience to help me properly understand its operation and benefits/limiataions.
The following devcentral post discusses it:
Support dynamic CRL check for clientSSL profile (B... - DevCentral (f5.com)
The F5 client SSL overview pages don't look to cover it, but the following describes it from the server SSL profile point of view (heading "Create a custom Server SSL profile that supports CRL"):
So first off let me just make sure I have understood the basic setup (please correct anything I have wrong):
1) Client SSL profile set up as normal for client authentication e.g. require a cert, and attached to relevant VS.
2) Internal proxy created referencing a DNS resolver. The DNS resolver is used to map any of the expected DNS zones referenced in CRLDPs to DNS servers that can perform the name resolution.
3) CRL object created referencing internal proxy.
4) CRL object attached to client SSL profile mentioned in point 1.
In this setup the F5 will examine the CRLDP contained within the client cert, perform a DNS lookup for it, and then progress to download the CRL to use for checking the client cert. So I have the following pieces I want to understand (answers for any appreciated :-)......
> How are different methods e.g. LDAP/HTTP handled?
> What is the approach if multiple CRLDPs are specified in the cert?
> What happens if the CRLDP isn't covered by the DNS zones in the DNS resolver?
> Is there any mechanism to restrict the set of CRLDPs that this download and cert check will operate for, i.e. only perform the operation if the CRLDP in the cert matches a specific set of known CRLDPs (I assume not in the normal setup, it would need to be performed via the likes of an iRule instead?)
> The CRL object has a setting "Strict Revocation Check". The operation of this isn't clear to me - it seems like if it is set the client connection is paused until the CRL is downloaded and checked, or if not set the F5 starts the download but returns 'unkown' for the cert revocation check - if that is the case will the SSL connection be allowed to establish anyway or how is the unkown status handled?
> What sort of error handling is used, e.g. what if the F5 can't connect to the CRLDP - is there a timeout value used? What if it does connect but is taking a long time to download - will the SSL handshake be paused indefinitely (I assume based on the setting of Strict Revocation Check?) - if so have folks needed to increase the SSL handshake timeout setting in the SSL profile?
> The CRL is cached - is that governed by the contents of the CRL itself, e.g. nextupdate filed, or is it configurable?
> Is there any way to manually specify specific CRLDPs that will be downloaded and constantly refreshed whether certificates which reference them are received or not?
The last query is the main reason I am looking into the CRL Validator setup in the first place. I have a use case whereby client certs can be presented which will be signed by a few different CAs, and therefore multiple CRLs need to be checked not just one. I have seen comments that this can be achieved by downloading the different CRLs (the CRLDPs are already known) and simply concatenating them (in PEM format) - e.g. done periodically by iCall or bash script and the concatenated 'bundle' is then specified as the crl-file on the client SSL profile. However I raised an F5 support request to check if the F5 does definitely support concatenated CRL files in the client SSL profile and unfortunately the answer was no đ