For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Michael_Falkenr's avatar
Michael_Falkenr
Historic F5 Account
Nov 17, 2004

Verify Valid Client Certificate

Have a current 4.x config as follows:     proxy 10.10.10.6:443 unit 1 {   target virtual 127.0.201.6:80   clientssl enable   clientssl key test.key   clients...
application delivery
dev
devops
iRules
Erick_Hammersm1's avatar
Erick_Hammersm1
Historic F5 Account
Jan 29, 2005
Do you happen to know off hand how the customer tested their rule? In my tests, SSL::verify_result is never updated to include the OCSP responder’s response, so any cert that chains up to a trusted client cert CA comes back with a result of “ok”, even if it has been revoked by the OCSP responder. The only way to capture the OCSP responder’s response and use it to make a load balancing decision in HTTP_REQUEST seems to be to use the modified auth rule to store a flag that lets us know whether AUTH_SUCCESS or AUTH_FAILURE happened.