Bug ID 578573: SSL Forward Proxy Forged Certificate Signature Algorithm

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
13.0.0, 12.1.3

Opened: Mar 08, 2016

Severity: 3-Major

Symptoms

In SSL Forward Proxy, the signature algorithm used by the CA certificate configured on the client SSL profile can change the signature algorithm used by the server certificate. For example, if the server certificate uses SHA1 but the CA certificate configured in client SSL profile uses SHA256, the forged certificate will use SHA256. If the server certificate uses SHA256 but the CA certificate configured in client SSL uses SHA1, the forged certificate will use SHA1. Both scenarios are a problem for a customer.

Impact

The signature algorithm of forged certificate may differ from the signature algorithm of the server certificate.

Conditions

when the signature algorithm of the CA certificate configured in client SSL profile differs from the signature algorithm of the server certificate.

Workaround

Configure the CA certificate in client SSL profile so that the signature algorithm matches that in server certificate.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips