For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

0_11329's avatar
0_11329
Icon for Nimbostratus rankNimbostratus
Jun 03, 2008

Valid certificate is identified as revoked by "OCSP Authentication error redirect" IRule

Hi,   As part of the implementation of a PKI, I try to use the "OCSP Authentication error redirect" IRule in a BigIP 1500 LTM (version 9.3.1) intended to redirect the Client browser t...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Nov 30, 2009
Hi Randy,

 

 

It would be easier to configure the OCSP server(s) in a pool and then add logic to your OCSP auth iRule which checks [active_members $ocsp_server_pool] > 1 before trying the OCSP authentication. You could send an HTTP response or TCP reset back to the client if the pool was down.

 

 

If you do want to create a VIP, you could do it on a free loopback IP address like 127.0.0.100 and then configure this internal VIP address as the OCSP responder address.

 

 

Aaron