For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Antoine_80417's avatar
Antoine_80417
Icon for Nimbostratus rankNimbostratus
Apr 13, 2011

Multiple certificate authorities and authentication profiles

Hello,     This is my first post on this forum so first, let me introduce myself : I'm a network an security engineer, I work for a company that uses quite a lot of F5 appliances as GTMs, LCs or...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Apr 19, 2011
Actually, are you trying to logically fail open if the OCSP server isn't available? If so, you could configure a pool containing the OCSP server address (assuming it's an IP and not a hostname) and then in your original AUTH iRule check to see if the OCSP server pool is up before trying to use AUTH::start.

 

 

However if an attacker knew this was what you were doing, they could try to take down the OCSP server and then present a revoked client cert to your VS and bypass your validation. Fail open isn't a great approach from a security perspective.

 

 

Aaron
Related Content