Forum Discussion

SMilanic's avatar
SMilanic
Icon for Cirrus rankCirrus
Mar 06, 2024

Dynamic CRL Check with Client SSL Profile - How to notify the user?

Hi, 

 

we have implemented dynamic CRL checking with client SSL profile in our test environment with BIG-IP 15.1. 

And it works. If a test user tries to establish a SSL session to a VIP with dynamic CRL checking enabled and the user's cert is revoked, the BIG-IP resets the connection. 

We are looking for a way to direct the user's browser to an error page so that the user would be notified that the application can't be accessed because the cert is revoked. 

Obviously, SSL session is (or not) established before any traffic can be sent over HTTP. We can verify CRL check result with "SSL::verify_result" in an iRule (for example), but the session is reset before an HTTP redirect can be sent. 

We are aware that this can be done with LTM + APM, however for this use case the APM is not available. 

This was, for example, possible in the "old days" on Cisco ACE with:

parameter-map type ssl Map_Name

  authentication-failure redirect cert-revoked url URL_Address

Any ideas & help on how to notify the user that the cert has been revoked greatly appreciated. Thanks!

 

  • Spit-balling here, but do you have Client Certificate auth set to Request or Require? The latter will terminate the session if validation fails. The former will not.

  • Spit-balling here, but do you have Client Certificate auth set to Request or Require? The latter will terminate the session if validation fails. The former will not.

    • SMilanic's avatar
      SMilanic
      Icon for Cirrus rankCirrus

      Hi Kevin, 

      Yes, in fact, setting the Client cert auth to "Request" instead of "Require" solved the problem. 

      When the Client cert auth is set to "Request", we can catch the result in an iRule and redirect the client's browser to an error page.