Last Modified: Oct 06, 2020
See more info
Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4
12.0.0, 11.6.0 HF5, 11.5.3, 11.4.1 HF9
Opened: Nov 07, 2014
Browser clients allow Machine Cert Auth agent to pass even if the match SubjectCN and FQDN criteria is not satisfied. It only happens if the selected certificate is recognized by the BIG-IP system but does not fit the Machine Cert Auth selection criteria.
Browser allows network access to be established even though it should not
The problem occurs with a Mac and the browser client, with the Machine Cert Auth agent in the access policy, and a valid certificate.
To work around the problem, add more search criteria in the Machine Cert Auth agent.
Browser client now selects the appropriate certificate when the match SubjectCN and FQDN criteria is specified in the Machine Cert Auth agent.