Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF5, 11.5.3, 11.4.1 HF9
Opened: Nov 07, 2014 Severity: 3-Major
Browser clients allow Machine Cert Auth agent to pass even if the match SubjectCN and FQDN criteria is not satisfied. It only happens if the selected certificate is recognized by the BIG-IP system but does not fit the Machine Cert Auth selection criteria.
Browser allows network access to be established even though it should not
The problem occurs with a Mac and the browser client, with the Machine Cert Auth agent in the access policy, and a valid certificate.
To work around the problem, add more search criteria in the Machine Cert Auth agent.
Browser client now selects the appropriate certificate when the match SubjectCN and FQDN criteria is specified in the Machine Cert Auth agent.