Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0, 11.5.4 HF3
Opened: Mar 11, 2015 Severity: 3-Major
The SSL handshake will fail if the certificate configured in client SSL profile cert-key-chain is signed by RSASSA-PSS.
SSL handshake between the client and BIG-IP SSL will fail.
A certificate with signature algorithm RSASSA-PSS is used in client SSL profile.
Don't use certificate with signature algorithm: rsassaPss.
SSL handshake will succeed when using a certificate signed by RSASSA-PSS in the client SSL profile.
Before the change: SSL handshake would fail if the certificate configured in the client SSL profile cert-key-chain was signed by RSASSA-PSS. The system does not support a certificate with RSASSA-PSS signature algorithm. After the change: SSL handshake will succeed when using a certificate signed by RSASSA-PSS in the client SSL profile. This doesn't fix the case when the client auth. has PSS in the X.509 cert chain neither add PSS support to the TLS portion (only to "our" X.509 server cert chain).