CirrostratusOCSP With CRL Fallback
Hi all, I've been trying to get my head around OCSP and CRL in a rush. My requirement is relatively simple but without APM (not an option) I'm trying to do this via an iRule. Anyway, the requirement is this;
-Use OCSP as the primary method of verifying client certificates (requires an OCSP profile) -Use CRL (not CRLDP) as a fallback should the OCSP responders be unavailable for any reason (requires an SSL profile)
According to this, if both are applied (via profiles) then both checks must 'pass' not just one or the other, hence the iRule.
I've found examples of using OCSP in an iRule here, here and here (thanks Hoolio) but litle around CRL checking.
So, my questions are;
-Can I use an iRule to perform the OCSP check and then, if OCSP fails for some reason, switch to an SSL profile that has CRL checking enabled so that CRL checking is performed?
-If not, does anyone has any example code for performing a CRL check?
-Would it simply be better to use a Pool (or something along these lines) and check it's up rather than do the OCSP check 'manually' in the iRule?