CRL verification in Irule

Question

Hi,&nbsp;
&nbsp;Is it possible to verify a SSL CRL (Certificate Revocation List) within an iRule?&nbsp;
&nbsp;The reason why is, that we have two different CA Issuers (from de same PKI company) with two different CRL's.&nbsp;
&nbsp;Note.
&nbsp;We can only use one Virtual Server&nbsp;
&nbsp;Or does anyone knows if you can make a CRL bundle.&nbsp;&nbsp;
&nbsp;Regard,&nbsp;
&nbsp;Hille&nbsp;

hooleylist · Answer

Hi Hille, 
&nbsp;  
&nbsp; Are you using the advanced client auth license to check the CRL?  I worked with a poster here for a similar situation with OCSP authentication where the person had two different CA's OCSP servers they needed to check client certs against.  The solution we came up with was to use a VIP and iRule to select the correct OCSP URL based on the client cert that was being validated.  We then configured this VIP as the URL for the OCSP responder.  I imagine you could do something similar for the CRL.  This CRL load balancing VIP would be used internally to perform the CRL validation--not as a second VIP that the clients connect to.   
&nbsp;  
&nbsp; If this seems like it might work for your scenario, let me know and I'll try to clean up and anonymize the OCSP example.  It might also be worth checking with either an F5 account manager/presales person or F5 Support to see if there's a simpler solution. 
&nbsp;  
&nbsp; Aaron

hille_de_graaf_ · Answer

Hi Aaron, 
&nbsp;  
&nbsp; We are not using the advanced client auth license. Also the provider doesn't support OCSP. 
&nbsp; We also opent a case by F5 and they replied with the following 
&nbsp;  
&nbsp; ------------------------------------------------------------------------------------------------------- 
&nbsp; Creating an aggregate CRL file 
&nbsp; If you need to revoke certificates from more than one CA, you can create an aggregate CRL file simply by concatenating the CRL files from each CA. 
&nbsp; For example, if you have a CRL file generated by a commercial CA, commercial_crl.pem, and another CRL file generated by a home-grown OpenSSL CA, openssl_crl.pem, you can combine these into a single CRL file as follows: 
&nbsp; Windows: 
&nbsp; copy commercial_crl.pem + openssl_crl.pem crl.pem  
&nbsp; UNIX: 
&nbsp; cat commercial_crl.pem openssl_crl.pem &gt; crl.pem 
&nbsp; ------------------------------------------------------------------------------------------------------- 
&nbsp;  
&nbsp; I concatenated the two CRL files to one aggregated file and loaded it into the SSL client profile. 
&nbsp; It works for both client certificates........., but I still have to test it with client certificates that are revoked (I'm waiting for the provider to provide me two certificates that are revoked) 
&nbsp;  
&nbsp; Hille

hooleylist · Answer

Sorry, I thought you were using CRL/CRLDP with an advanced client auth profile.  Support's suggestion seems logical for using two CRL files. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

CRL verification in Irule

3 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

SSL Bridging verification

Google Authenticator Verification iRule (TMOS v11.1+ optimized)

Configure NGINX microgateway for MTLS termination and client certificate hash verification

Google reCAPTCHA Verification With Sideband Connections

Re: Automate import of SSL Certificate, Key & CRL from BIG-IP to BIG-IQ