Bug ID 609674: machine certificate check creates issuer string with DC with reverse order

Last Modified: Dec 20, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4

Fixed In:
13.0.0, 11.6.2

Opened: Aug 08, 2016
Severity: 3-Major
Related AskF5 Article:
K38333488

Symptoms

Machine certificate check on MAC creates issuer string with incorrect domain component (DC) order if it has any domain component in the certificate. For example, if DC in certificate says example.com, issuer DC string should look like "DC=example, DC=com" but instead, it's in reverse order (DC="com", DC="example").

Impact

Machine certificate check might fail.

Conditions

Machine certificate check configured on BIG-IP systems, certificate contains DC components.

Workaround

For access policies with machine certificate check targeted towards MAC, the order of DC should be reversed (compared to access policy with machine certificate check targeted towards Microsoft Windows) in the regex configured in machine certificate check.

Fix Information

DC order evaluated by MAC is correctly ordered now and matches with that of Microsoft Windows.

Behavior Change

Previously, machine certificate check on MAC creates issuer string with incorrect domain component (DC) order if it has any domain component in the certificate. For example, if DC in certificate says example.com, issuer DC string should look like "DC=example, DC=com" but instead, it's in reverse order (DC="com", DC="example"). Now, DC order evaluated by MAC is correctly ordered now and matches with that of Microsoft Windows.