Forum Discussion

Employee

Aug 23, 2007

OCSP and new AUTH::status response codes

All, According to the wiki, the AUTH_ERROR, AUTH_FAILURE and AUTH_SUCCESS events are being deprecated in favor of the new AUTH_RESULT event, and is evident in the default ocsp irules in the ...

Historic F5 Account

Feb 05, 2008

Do you have your client certificate "peer cert mode" set to "request" or "require"? If it's set to "require", then the certificate presented must pass all of the internal checks that the BIG-IP does before we continue with the connection, so that may be the behavior that you're (all) seeing. You should be able to set it to "request" and have processing continue. Note that you will need to ensure that your auth processing iRule handles the case where the client does not present any certificate at all.

If you have it set to "request", and you're still seeing clients with expired certificates having their connections be closed (and the iRule events not firing), then that is a bug, and you should open up a case with F5 support.

Hope this helps!

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)