OCSP Cache

Question

Hello all&nbsp;
We need to implement an OCSP authentication profile on our LTM system to verify the revocation status of client certificates.&nbsp;
Does anyone know if it's possible for the LTM to cache the response from the OCSP Responder to help minimise the number of requests needed?&nbsp;
Thank you. &nbsp;

morten_marstra1 · Answer

Hi,&nbsp;
You can change the caching options in the ocsp stapling profile.
Please have a look at the following article, by Jason Rahm:
https://devcentral.f5.com/articles/configuring-ocsp-stapling-on-big-ip&nbsp;
Morten&nbsp;

morten_marstran · Answer

Hi,&nbsp;
You can change the caching options in the ocsp stapling profile.
Please have a look at the following article, by Jason Rahm:
https://devcentral.f5.com/articles/configuring-ocsp-stapling-on-big-ip&nbsp;
Morten&nbsp;

devlin_t_149357 · Answer

Hi Morten&nbsp;
Thanks for your quick response. We don't want to do OCSP stapling. Our situation is that we have a VS to which the client connects. We've applied a Client SSL Profile to terminate the TLS. We also have Client Authentication turned on so the LTM sends a certificate request. We then need to check the revocation of the client's certificate using OCSP. We have configured an OCSP authentication profile, see: &nbsp;
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-profiles-reference-12-0-0/8.html&nbsp;
...the client has asked if the LTM can cache the OCSP response from the Responder so the LTM does not need to send an OCSP request for the same client every time they make a request.&nbsp;
Thanks.&nbsp;

devlin_t_149357 · Answer

Hi Morten&nbsp;
Thanks for your quick response. We don't want to do OCSP stapling. Our situation is that we have a VS to which the client connects. We've applied a Client SSL Profile to terminate the TLS. We also have Client Authentication turned on so the LTM sends a certificate request. We then need to check the revocation of the client's certificate using OCSP. We have configured an OCSP authentication profile, see: &nbsp;
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-profiles-reference-12-0-0/8.html&nbsp;
...the client has asked if the LTM can cache the OCSP response from the Responder so the LTM does not need to send an OCSP request for the same client every time they make a request.&nbsp;
Thanks.&nbsp;

morten_marstra1 · Answer

Ah, I missed the part about client certificates. Sorry, but I don't know if what you want can be done.&nbsp;
Regards,
Morten&nbsp;

Forum Discussion

OCSP Cache

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

What is Web Cache Exploitation?

Distributed caching of authentication requests with NGINX Ingress Controller

Configuring OCSP Stapling on BIG-IP

Building an OpenSSL Certificate Authority - Configuring CRL and OCSP

OCSP Responder

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS