Last Modified: Jul 13, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4
Fixed In:
13.0.0, 12.1.3
Opened: Mar 08, 2016 Severity: 3-Major
In SSL Forward Proxy, the signature algorithm used by the CA certificate configured on the client SSL profile can change the signature algorithm used by the server certificate. For example, if the server certificate uses SHA1 but the CA certificate configured in client SSL profile uses SHA256, the forged certificate will use SHA256. If the server certificate uses SHA256 but the CA certificate configured in client SSL uses SHA1, the forged certificate will use SHA1. Both scenarios are a problem for a customer.
The signature algorithm of forged certificate may differ from the signature algorithm of the server certificate.
when the signature algorithm of the CA certificate configured in client SSL profile differs from the signature algorithm of the server certificate.
Configure the CA certificate in client SSL profile so that the signature algorithm matches that in server certificate.
None