Client Cert Checking with OCSP Responder with HTTP/1.1

Question

We have an LTM setup to check client certs on a Micoosoft PKI OCSP responder. We see the request traffic going to the OCSP server but are not getting a response back. Ping and telent on 80  from the LTM works so connectivity is ok. We see the request using HTTP/1.0 but may need to be using HTTP/1.1&nbsp;
Is there a way to change setting to use HTTP/1.1 for OCSP request? Or can the default irule _sys_auth_ssl_ocsp be edited to change to HTTP/1.1&nbsp;
We found this in some Micorosft documentation. &nbsp;
1.4 Relationship to Other Protocols 
The Hypertext Transfer Protocol (HTTP/1.1) [RFC2616] is the transport protocol for Online Certificate Status Protocol (OCSP) Extensions messages. 
1.5 Prerequisites/Preconditions 
This protocol requires HTTP/1.1 ([RFC2616]) for transport of all messages.&nbsp;

nathe · Answer

Joe, I wouldn't edit that irule but copy & paste into a custom one. Refer to the new irule in the ocsp profile (I think from memory). Not specifically sure if you can modify the http version thus way without referencing the irule but a possibility for sure.

Forum Discussion

Client Cert Checking with OCSP Responder with HTTP/1.1

1 Reply

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Large payload post requests aren't responding

Change cookie domain in HTTP::respond

Gzip content when using HTTP::respond

Check a Virtual Server's SSL Status

Using F5 Distributed Cloud DNS Load Balancer health checks and DNS observability