Add support for DNS Resolver and Dynamic CRL Validator/Check for SSL Profiles

[thepowercoders]

Is your feature request related to a problem? Please describe.

Add support in AS3 for creating a dynamic CRL check in the SSL profiles (client and server). There is an AS3 class for checking certificate revocation via OCSP (Certificate_Validator_OCSP class) but not for CRL. The dynamic feature was developed in 15.1 for serverSSL and then support for clientSSL was added later.

The current SSL profile classes (TLS_Client and TLS_Server) include a property "crlFile" with value Pointer_SSL_CRL_File. This allows a manual link to a CRL file, but this is not dynamic so cannot be automatically updated and requires a separate manual process to match connections to a valid CRL, download it manually, and then link via the profile. Also, the existing OCSP validator class in AS3 does not include the ability to define a DNS resolver. The class has a property - Pointer_DNS_Resolver - to point to an existing resolver, but no separate as3 class to define one. A DNS resolver is also used by the dynamic CRL feature so would be useful to include as3 for this too.

Describe the solution you'd like

Addition of support (new classes) for:

• DNS Resolver (GUI-->Network-->DNS Resolvers)
• Internal Proxy (GUI-->System-->Services-->Internal Proxies)
• CRL Validator (GUI-->System-->Certificate Management-->Traffic Certificate Management-->CRL)
• Addition of new property in TLS_Client and TLS_Server classes to allow definition of CRL validator object

Describe alternatives you've considered

Before dynamic CRL validator feature was developed (in v15.1) the only way to use CRL was to manually download files (or create a script on the bigip to download). You then referenced the file in the SSL profile. However, you needed to make sure the CRL file which was referenced matches the CA which has signed the certificate being validated, or traffic would fail. Dynamic validation uses the CDP in the certificate and then the internal proxy to pull the file. It also caches it (in /config/filestore/crl_file_cache_d) and keeps it up to date based on the expiry date on the file.

OCSP is a better way of checking revocation status but unfortunately is not supported in all environments so CRL is still used a lot.

[sunitharonan]

Thanks for reaching out, have created an internal backlog item AUTOTOOL-4272. In order to prioritize this issue, please reach out to us at automation_toolchain_pm@f5.com