Bug ID 489382: Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert

Last Modified: Dec 10, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.3, 11.4.1 HF9

Opened: Nov 07, 2014
Severity: 3-Major

Symptoms

Browser clients allow Machine Cert Auth agent to pass even if the match SubjectCN and FQDN criteria is not satisfied. It only happens if the selected certificate is recognized by the BIG-IP system but does not fit the Machine Cert Auth selection criteria.

Impact

Browser allows network access to be established even though it should not

Conditions

The problem occurs with a Mac and the browser client, with the Machine Cert Auth agent in the access policy, and a valid certificate.

Workaround

To work around the problem, add more search criteria in the Machine Cert Auth agent.

Fix Information

Browser client now selects the appropriate certificate when the match SubjectCN and FQDN criteria is specified in the Machine Cert Auth agent.

Behavior Change