_JOHN_
Aug 10, 2022Altocumulus
CRL Validator
From v15.1 onwards client SSL profiles support CRL validator objects as per this bug report: Bug ID 743758 (f5.com) I have no experience of CRL Validator. I have just started to read about it, but...
OCSP does indeed have a few advantages over CRL:
As to the CRL refresh script option, the more I think about it, this probably wouldn't work in your scenario. The idea would be to have a script that perdiodically queries the site and passes a client cert, forcing the client SSL profile to fetch the CRL if it's not in cache. The issue here is that your script would need a client cert for each respective CRL. I imagine you could spoof this, but I'd have to test that to know for sure.
Cheers again for the reply 😊
I agree in ‘normal’ operation OCSP has clear benefits over CRL. However in my scenario I see clear advantages to pre-fetching the CRLs. I can’t go into the finer specifics of my scenario, but I know it will apply to many others. The key general concepts are:
Unfortunately there doesn’t seem to be an option to pre-fetch the files natively in the F5 arsenal. APM comes closest in that you can use an ‘Update Interval’ so as to continually refresh CRLs based on a timeframe of your choosing (unlike CRL Validator which relies on the nextupdate filed), but APM has downsides:
Regarding expired CRL – the SSL profiles allow for that option, but it is on a single CRL (unless trying to use concatenated CRLs).
Local OCSP responder sounds interesting, but it will still hold up connections rather than just making a check against a local file. A local OCSP connection should be very quick, but surely it would still be longer than a local compare on the F5 against a CRL? You then also have to manage something separate to the F5, which is a headache for companies when they have bought the F5 to do all of this work (e.g. keeping on top of security issues and applying patches, more devices to bring under a support model and to manage alerts from etc. etc.).
Regarding forcing a refresh by presenting various client certs (one per CRL) - having the certs to present would be no problem at all in my scenario – test certs are available and constantly refreshed. However it wouldn’t really do what I need – I want the CRL to be refreshed in the background. There is sufficient load that real traffic would likely trigger a CRL download long before the automated script did.
Unfortunately there just doesn’t appear to be a method to do what I need (other than possibly concatenated CRL if we can get round the support issues) so I will look into the alternatives. CRL Validator won’t be one of them based on the cache being for nextupdate (would be simply too long between refreshes). APM is a potential but with those downsides I mentioned.