For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

_JOHN_'s avatar
_JOHN_
Icon for Altocumulus rankAltocumulus
Aug 10, 2022

CRL Validator

From v15.1 onwards client SSL profiles support CRL validator objects as per this bug report: Bug ID 743758 (f5.com) I have no experience of CRL Validator.  I have just started to read about it, but...
application delivery
security
F5-Enthusiast-X's avatar
F5-Enthusiast-X
Icon for Altocumulus rankAltocumulus
Apr 11, 2024

Hello together,

 

interesting topic so far also for me.

I found that that the dynamic CRL files seems to be cached really long. We have one dynamic CRL which got queried 6 times in about 6 month based on output of "tmsh show sys crypto cert-validator crl". 

 

These dynamic CRLs seems to be saved under: "/config/filestore/crl_file_cache_d/"
Unfortunately, these are not in standard openssl x509 CRL format.
So I can't verify them with "openssl crl -in <crl-file-name> -noout -text". Result is currently:

"unable to load CRL
140058772170416:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:697:Expecting: X509 CRL"

 

We would also like to know, how to verify the content of the current loaded CRL for troubleshooting purpose. Also it is needed for us to have a way of forcing a re-download a CRL.

 

Regards