For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Apr 23, 2014

OCSP is actually performed via an OCSP Auth agent in the visual policy and corresponding OCSP AAA configuration. The agent assumes that client cert data is being sent to it via an APM session variable, session.ssl.cert.whole if I remember correctly. There are generally two ways to make that happen. You can specify request or require in the client authentication section of the client SSL profile, or you can use an On-Demand Certificate auth agent in the VPE before the OCSP agent. The client SSL profile is still needed for both options to enforce client side SSL characteristics (ciphers, trust chains, server certs/keys, etc.). The On-Demand cert auth agent simply flips the client auth option from ignore to request or require and initiates an SSL renegotiation to get the client cert.