Forum Discussion
hooleylist
Apr 19, 2011Cirrostratus
Actually, are you trying to logically fail open if the OCSP server isn't available? If so, you could configure a pool containing the OCSP server address (assuming it's an IP and not a hostname) and then in your original AUTH iRule check to see if the OCSP server pool is up before trying to use AUTH::start.
However if an attacker knew this was what you were doing, they could try to take down the OCSP server and then present a revoked client cert to your VS and bypass your validation. Fail open isn't a great approach from a security perspective.
Aaron