For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hille_de_Graaf_'s avatar
Hille_de_Graaf_
Icon for Nimbostratus rankNimbostratus
Apr 13, 2010

CRL verification in Irule

Hi,     Is it possible to verify a SSL CRL (Certificate Revocation List) within an iRule?     The reason why is, that we have two different CA Issuers (from de same PKI company) with two...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Apr 13, 2010
Hi Hille,

 

 

Are you using the advanced client auth license to check the CRL? I worked with a poster here for a similar situation with OCSP authentication where the person had two different CA's OCSP servers they needed to check client certs against. The solution we came up with was to use a VIP and iRule to select the correct OCSP URL based on the client cert that was being validated. We then configured this VIP as the URL for the OCSP responder. I imagine you could do something similar for the CRL. This CRL load balancing VIP would be used internally to perform the CRL validation--not as a second VIP that the clients connect to.

 

 

If this seems like it might work for your scenario, let me know and I'll try to clean up and anonymize the OCSP example. It might also be worth checking with either an F5 account manager/presales person or F5 Support to see if there's a simpler solution.

 

 

Aaron