For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

awan_m's avatar
awan_m
Icon for Cirrostratus rankCirrostratus
Nov 28, 2024

F5 to read a combined CRL file

Hello , i have a client ssl profile which uses a crl file that is uploaded to F5 every night . Now i have a second CRL file . Question - can the F5 read a file that is a combination of 2 CRL files ...
application delivery
VGF5's avatar
VGF5
Icon for Cumulonimbus rankCumulonimbus
Jan 22, 2025

Combining multiple Certificate Revocation Lists (CRLs) into a single file with multiple BEGIN X509 CRL and END X509 CRL sections can indeed be problematic, as many systems, including OpenSSL, typically expect a single CRL per file and may only process the first CRL they encounter.

F5 BIG-IP systems have similar limitations when it comes to handling CRLs. The system expects a single CRL per file and may not correctly process a combined CRL file with multiple BEGIN and END sections. Therefore, you need an alternative approach to handle multiple CRLs effectively. 

Follow Below Steps:

Step 1: Create a Directory and Upload CRLs

  1. Create a Directory: mkdir -p /config/ssl/crl

  2. Upload CRL Files: Use the F5 GUI or SCP to upload the CRL files to the /config/ssl/crl directory.

Step 2: Configure the Client SSL Profile

Navigate to SSL Certificates: Go to Local Traffic > SSL Certificates > Client in the F5 GUI.

Edit the Client SSL Profile

Select the client SSL profile you are using.

Under the "Certificate Revocation List (CRL) File" section, instead of specifying a single CRL file, specify the directory path.

For example:

  • CRL File: /config/ssl/crl

Example Commands:

Assuming you have two CRLs, crl1.pem and crl2.pem, you can place them in the directory and configure your profile as follows:

Upload CRLs:

scp crl1.pem root@<f5-ip>:/config/ssl/crl/
scp crl2.pem root@<f5-ip>:/config/ssl/crl/

Configure Client SSL Profile:

  • In the F5 GUI, go to Local Traffic > Profiles > SSL > Client.
  • Select your client SSL profile.
  • In the "Certificate Revocation List (CRL) File" field, enter /config/ssl/crl.

Example iRule for Custom Validation:

If you need to perform more complex CRL validation, you can use an iRule to implement custom logic. Here’s a simple example of how you might do this:

when CLIENTSSL_CLIENTCERT {
    # Get the client certificate
    set cert [SSL::cert 0]

    # Check if the certificate is revoked
    if { [CRL::verify $cert /config/ssl/crl/crl1.pem] == 0 || [CRL::verify $cert /config/ssl/crl/crl2.pem] == 0 } {
        # Certificate is revoked
        reject
    } else {
        # Certificate is valid
        log local0. "Client certificate is valid."
    }
}

 

  • awan_m's avatar
    awan_m
    Icon for Cirrostratus rankCirrostratus
    Jan 23, 2025

    Thanks for the response 

    i just tried it but the command [CRL::verify] is not being accepted - i am getting the following 

    error: /Common/crl_verify:5: error: [undefined procedure: CRL::verify][CRL::verify]

    i am running version 17