Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

OCSP Cache

Hello all

We need to implement an OCSP authentication profile on our LTM system to verify the revocation status of client certificates.

Does anyone know if it's possible for the LTM to cache the response from the OCSP Responder to help minimise the number of requests needed?

Thank you.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

You can change the caching options in the ocsp stapling profile. Please have a look at the following article, by Jason Rahm: https://devcentral.f5.com/articles/configuring-ocsp-stapling-on-big-ip

Morten

0
Comments on this Answer
Comment made 04-Aug-2017 by Devlin_T 356

Hi Morten

Thanks for your quick response. We don't want to do OCSP stapling. Our situation is that we have a VS to which the client connects. We've applied a Client SSL Profile to terminate the TLS. We also have Client Authentication turned on so the LTM sends a certificate request. We then need to check the revocation of the client's certificate using OCSP. We have configured an OCSP authentication profile, see:

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-profiles-reference-12-0-0/8.html

...the client has asked if the LTM can cache the OCSP response from the Responder so the LTM does not need to send an OCSP request for the same client every time they make a request.

Thanks.

0
Comment made 04-Aug-2017 by Morten Marstrander 250

Ah, I missed the part about client certificates. Sorry, but I don't know if what you want can be done.

Regards, Morten

0
Comment made 04-Aug-2017 by Devlin_T 356

No problem Morten. I'm also scratching my head.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Does anyone else have any ideas?

Thanks.

0