Bug ID 1001509: Client going through to BIG-IP SSL forward proxy might not be able to trust forged certificates

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP LTM, SSLO(all modules)

Known Affected Versions:
15.1.2.1, 15.1.2, 14.1.4

Fixed In:
15.1.3, 14.1.4.3

Opened: Mar 11, 2021

Severity: 2-Critical

Related Article: K11162395

Symptoms

-- A client system or browser does not trust forged certificates, and reports a cert verification warning: ERR_CERT_AUTHORITY_INVALID. -- The forged certificate received by the client has the same values set for AKI and SKI certificate extensions.

Impact

Client does not trust forged certificates and can not connect to the backend.

Conditions

Client SSL profile in SSL forward proxy is configured with the same certificate for Cert Key Chain and CA Cert Key Chain, and that certificate has an SKI extension.

Workaround

Modify the Cert Key Chain on the Client SSL profile to have a different certificate from CA Cert Key Chain. You can find details in K11162395: A client browser may not trust the certificate issued by the BIG-IP SSL forward proxy :: https://support.f5.com/csp/article/K11162395

Fix Information

Certificate forged by SSL forward proxy does not contain AKI and SKI extensions, so this issue no longer occurs.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips