Forum Discussion
Antoine_80417
Apr 13, 2011Nimbostratus
Multiple certificate authorities and authentication profiles
Hello,
This is my first post on this forum so first, let me introduce myself : I'm a network an security engineer, I work for a company that uses quite a lot of F5 appliances as GTMs, LCs or...
hooleylist
Apr 19, 2011Cirrostratus
Actually, are you trying to logically fail open if the OCSP server isn't available? If so, you could configure a pool containing the OCSP server address (assuming it's an IP and not a hostname) and then in your original AUTH iRule check to see if the OCSP server pool is up before trying to use AUTH::start.
However if an attacker knew this was what you were doing, they could try to take down the OCSP server and then present a revoked client cert to your VS and bypass your validation. Fail open isn't a great approach from a security perspective.
Aaron
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects