Forum Discussion

chfrchfr_325824's avatar
chfrchfr_325824
Icon for Nimbostratus rankNimbostratus
Jul 14, 2017

Revoked Cert in CRL not logging

I have a authentication profile CRLDP server set that uses an LDAP instance to check the client cert presented against the LDAP CRL. This works fine and revoked certificates do not successfully handshake. However I don't seem to get any logs of a revoked certificate being presented.

 

I thought I may need an iRule to accomplish this but after playing around with X509::verify_cert_error_string and SSL::verify_result I'm stuck. I keep getting an OpenSSL verify value of 0 X509_V_OK when I expect at least one to be 23 X509_V_ERR_CERT_REVOKED

 

Has anyone got an iRule that successfully logs this info?

 

PS.I'd prefer not to abandon the authentication profile in favour of an Access Policy profile.

 

Thanks

 

  • Hello,

     

    I am not sure what should be the correct event for iRule here, but another solution is to increase the logging level for SSL from "System ›› Logs : Configuration : Options". Debug is the highest level but is not recommended to use it in production if you have a lot of SSL traffic. You can try with notice or informatinal first.

     

    Regards