Last Modified: May 14, 2019
See more info
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1
Opened: Oct 14, 2016
Related AskF5 Article: K20488861
After upgrading to 11.6.1 HF1, CRLDP authentication stopped working. It can be seen from following sample log that the URL is not parsed correctly: warning apd: 0149015e:4: fc98d22d: CRLDP Auth agent: CRL lookup failed for LDAP url 'ldap::::389//crl.certificate.../..../certificaterevocationlist?certificateRevocationList' reason 'Invalid CRLDP URL.
Users may fail access policy evaluation when client certification is used.
The problem occurs only when LDAP type CRLDP is available in the client certificate and it is used from the CRL Distribution Points list.
Configure other than LDAP type distribution points in the Certificate or if multiple distribution points are present in the client certificate, make sure other than LDAP type scheme succeeds before hitting LDAP CRLDP.
The system now parses LDAP type CRLDP URL correctly, so after upgrading, CRLDP authentication now works as expected.