Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6
Fixed In:
13.0.0, 11.6.2
Opened: Aug 08, 2016 Severity: 3-Major Related Article:
K38333488
Machine certificate check on MAC creates issuer string with incorrect domain component (DC) order if it has any domain component in the certificate. For example, if DC in certificate says example.com, issuer DC string should look like "DC=example, DC=com" but instead, it's in reverse order (DC="com", DC="example").
Machine certificate check might fail.
Machine certificate check configured on BIG-IP systems, certificate contains DC components.
For access policies with machine certificate check targeted towards MAC, the order of DC should be reversed (compared to access policy with machine certificate check targeted towards Microsoft Windows) in the regex configured in machine certificate check.
DC order evaluated by MAC is correctly ordered now and matches with that of Microsoft Windows.
Previously, machine certificate check on MAC creates issuer string with incorrect domain component (DC) order if it has any domain component in the certificate. For example, if DC in certificate says example.com, issuer DC string should look like "DC=example, DC=com" but instead, it's in reverse order (DC="com", DC="example"). Now, DC order evaluated by MAC is correctly ordered now and matches with that of Microsoft Windows.