Last Modified: Jun 04, 2025
Affected Product(s):
F5OS Velos
Known Affected Versions:
F5OS-A 1.7.0, F5OS-C 1.6.0, F5OS-C 1.6.1, F5OS-C 1.6.2
Fixed In:
F5OS-C 1.8.0, F5OS-A 1.8.0
Opened: Feb 08, 2024 Severity: 2-Critical Related Article:
K000139300
Since no SAN was allowed to be inserted into the http-server’s self-signed certificate, client-side SSL validation was not supported. This impacts Central Manager's VELOS/rSeries provider. The missing SAN field causes the certificate to be rejected.
Client-side SSL validation is not supported.
Using the default self-signed certificate.
To add an SAN, you need to edit the /etc/pki/tls/openssl.cnf file and add it. However, this may not be effective for certain software that does not accurately read the configuration file.
A new SAN field has been implemented, which is mandatory, and allows users to enter a value in the field. However, if the value “none” is used, the field can be omitted. Additionally, to allow entry of the SAN, a default tls certificate is created in /etc/auth-config/default/f5os.cert that has the SAN populated with the hostname and management-ip values. In the absence of a user-provided self-signed certificate, the http-server will automatically use the default certificate.