Bug ID 578573: SSL Forward Proxy Forged Certificate Signature Algorithm

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
13.0.0, 12.1.3

Opened: Mar 08, 2016
Severity: 3-Major

Symptoms

In SSL Forward Proxy, the signature algorithm used by the CA certificate configured on the client SSL profile can change the signature algorithm used by the server certificate. For example, if the server certificate uses SHA1 but the CA certificate configured in client SSL profile uses SHA256, the forged certificate will use SHA256. If the server certificate uses SHA256 but the CA certificate configured in client SSL uses SHA1, the forged certificate will use SHA1. Both scenarios are a problem for a customer.

Impact

The signature algorithm of forged certificate may differ from the signature algorithm of the server certificate.

Conditions

when the signature algorithm of the CA certificate configured in client SSL profile differs from the signature algorithm of the server certificate.

Workaround

Configure the CA certificate in client SSL profile so that the signature algorithm matches that in server certificate.

Fix Information

None

Behavior Change