For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 23, 2007

OCSP and new AUTH::status response codes

All,     According to the wiki, the AUTH_ERROR, AUTH_FAILURE and AUTH_SUCCESS events are being deprecated in favor of the new AUTH_RESULT event, and is evident in the default ocsp irules in the ...
application delivery
dev
devops
iRules
spark_86682's avatar
spark_86682
Historic F5 Account
Feb 06, 2008
Do you have your client certificate "peer cert mode" set to "request" or "require"? If it's set to "require", then the certificate presented must pass all of the internal checks that the BIG-IP does before we continue with the connection, so that may be the behavior that you're (all) seeing. You should be able to set it to "request" and have processing continue. Note that you will need to ensure that your auth processing iRule handles the case where the client does not present any certificate at all.

 

 

If you have it set to "request", and you're still seeing clients with expired certificates having their connections be closed (and the iRule events not firing), then that is a bug, and you should open up a case with F5 support.

 

 

Hope this helps!