Bug ID 586006: Failed to retrieve CRLDP list from client certificate if DirName type is present

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
13.0.0, 12.1.2, 11.6.1 HF1, 11.5.4 HF3

Opened: Apr 07, 2016

Severity: 3-Major

Symptoms

Client certification revocation check will fail.

Impact

Users may fail access policy evaluation when client certification is used.

Conditions

Two conditions will trigger this problem: 1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND 2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.

Workaround

Configure an LDAP server for the CRLDP object. It need not return a valid CRL.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips