Bug ID 612554: Some SSL certificate SHA verification fails for different SHA prefix used by Crypto

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4

Fixed In:
13.0.0

Opened: Aug 24, 2016
Severity: 3-Major

Symptoms

For PKCS#1, the SHA256 header should be: 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20. However, there might also be this alternate header: 30 2f 30 0b 06 09 60 86 48 01 65 03 04 02 01 04 20, Some implementation use the alternate. According to PKCS#1, the first one is used when producing signature, but both should be accepted when verifying signatures. In BIG-IP, SSL uses the 1st header: 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20, whereas crypto uses the 2nd header format for some cert verification: 30 2f 30 0b 06 09 60 86 48 01 65 03 04 02 01 04 20, which causes the inconsistent and signature verification fail.

Impact

SSL handshake fails because of certificate verification failure.

Conditions

For some particular certificates, crypto uses alternative SHA prefix for verification.

Workaround

None.

Fix Information

BIG-IP systems now also accept alternative SHA prefixes during the certificate SHA verification.

Behavior Change