Forum Discussion

Altostratus

Oct 12, 2018

DISA OCSP responder sometimes producing errors

Hi, not sure if there are others that have this issue, it seems sporadic. I’m using BigIP v13.1.1 OCSP will sometimes fail and users will fail to login, and it will fail for a random duration of ...

application delivery

BIG-IP Access Policy Manager (APM)

Employee

Oct 12, 2018

It would be possible theoretically to define a response timeout value for OCSP requests, such that it "failed open" if the request couldn't succeed. But honestly, this particular problem has existed for as long as I can remember, and the very best recommendation would probably be to stand up your own local responder that pulls CRLs from DISA. If you have a Microsoft site license, then you already have a free OCSP responder that works as good as the other dedicate OCSP vendors. The beauty here is that you can configure the local responder to extend revocation status beyond the CRL end-date in case CRL stops working too.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

DISA OCSP responder sometimes producing errors

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Change cookie domain in HTTP::respond

Large payload post requests aren't responding

OCSP Responder

Gzip content when using HTTP::respond

Sometimes you don't know what you don't know

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS