For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

EP1's avatar
EP1
Icon for Altocumulus rankAltocumulus
Apr 17, 2020

Support dynamic CRL check for clientSSL profile (BIG-IP 15.1)

Hi,

 

Did anyone tested  (dynamic) CRL validator object for client SSL profile? (BIG-IP v15.1):

It should work in v 15.1 (fixed bug 743758 -  https://cdn.f5.com/product/bugtracker/ID743758.html )

 

 

 

I'm getting following errors for all client certificates:

 

err tmm1[21207]: 01a40008:3: Unable to build certificate trust chain for profile /clientssl_profile

tmm1[21207]: 01260009:4: clientIP:62042 -> VIP:443: Connection error: ssl_hs_do_crl_validation:6014: alert(46) unknown certificate error

 

 

With CRL File it works ok, but file does not automatically fetch, check, and cache CRL files…

 

Kr,

EPX

 

application delivery
BIG-IP
certificate
clientssl
crl
crldp
LTM
security

3 Replies

  • RadekR's avatar
    RadekR
    Icon for Altocumulus rankAltocumulus
    Mar 14, 2021

    It works for me:

    Skip step 1 and 2 if you want to use external proxy server for forwarding the CRL request to the CRL server.

    1. Crate DNS Resolver (Network-->DNS Resolvers-->DNS Resolver List-->Create)

    2. Open DNS Resolver created in step 1, go to "Forward Zones" tab and add appropriate zones with DNS servers.

    3. Create an internal proxy (GUI-->System-->Services-->Internal Proxies-->Create)

    Assign DNS Resolver created in step 1 (no external proxy) or enable "Use Proxy Server" and specify LTM pool with proxy server (external proxy server).

    4. Create Traffic Certificate Management CRL object (GUI-->System-->Certificate Management --> Traffic Certificate Management --> CRL)

    Assign internal proxy created in step 3.

    5. Assign CRL object created in step 5 to Client SSL profile with client authentication enabled:

    Open GUI-->Local Traffic-->Profiles-->SSL-->Client-->profile_name

    Go to Client Authentication section and set:

    Client Certificate to request/require this will enable client authentication

    Trusted Certificate Authorities to CA that you want to trust

    CRL to object created in step 2.

     

    • MAbbas's avatar
      MAbbas
      Icon for Cirrus rankCirrus
      Mar 07, 2022

      Hi - i followed the steps specified above but CRL checks are not working on my device 

      i have 16.1 running - i created resolver and forward zone in it - 

      also created a proxy and pool 

      neither the Dns resolver - nor the proxy pool are getting any hits . meaning counters are 0 

      and i get the same error message EP1

       

      • EP1's avatar
        EP1
        Icon for Altocumulus rankAltocumulus
        Mar 29, 2022

        Hi,

        I've included root certificates to Advertised and Trusted bundle, and that solved this error...