Forum Discussion
hooleylist
Aug 21, 2009Cirrostratus
Hi Skuba,
You could add logic in CLIENTSSL_HANDSHAKE to check for clients making a request with no cert after the renegotiation. You could also validate the client cert against either the SSL cert in the client SSL profile or using a trusted CA cert. You can use the SSL::verify_result (Click here). You'd probably also want to check the AUTH::status value in AUTH_RESULT to see whether the OCSP validation was completed successfully.
Note there is an issue where you can't differentiate between no response and a revoked status from the OCSP responder using AUTH::status. F5 is tracking this in CR126501. A workaround is to create a pool containing the OCSP server IP address(es) and then use a monitor to check the status of the pool. You can then use [active_members $ocsp_pool] in your iRule to detect whether the OCSP servers are down.
Aaron