For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

daboochmeister's avatar
daboochmeister
Icon for Cirrus rankCirrus
Aug 21, 2015

OCSP responder profile with client cert set to "request", for multiple CAs;

Environment: LTM 11.5.2, APM available but i think N/A for this.   Just a quick check of my understanding of something ...   If an OCSP responder profile's URL field is empty, and "Ignore AIA"...
application delivery
crldp
design
LTM
ocsp
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 21, 2015

You'd basically have an access policy that starts with an On-Demand cert auth agent that is followed by an iRule agent. That iRule would parse the client cert looking for either an AIA field or CRLDP. Depending on the logic you choose (ie. if AIA and CRLDP exist, always choose the AIA, or something like that), you'd set an access session variable. Out of the iRule event agent you'd have an empty agent and a set of branch conditions that evaluates this session variable and then routes the logic flow through an OCSP auth agent or CRLDP auth agent.

 

The APM CRLDP agent has been able to support HTTP and LDAP URLs since (I think 11.3).