Bug ID 622830: LDAP type CRLDP is parsed incorrectly

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1

Fixed In:
11.6.1 HF2

Opened: Oct 14, 2016
Severity: 2-Critical
Related AskF5 Article:
K20488861

Symptoms

After upgrading to 11.6.1 HF1, CRLDP authentication stopped working. It can be seen from following sample log that the URL is not parsed correctly: warning apd[15314]: 0149015e:4: fc98d22d: CRLDP Auth agent: CRL lookup failed for LDAP url 'ldap::::389//crl.certificate.../..../certificaterevocationlist?certificateRevocationList' reason 'Invalid CRLDP URL.

Impact

Users may fail access policy evaluation when client certification is used.

Conditions

The problem occurs only when LDAP type CRLDP is available in the client certificate and it is used from the CRL Distribution Points list.

Workaround

Configure other than LDAP type distribution points in the Certificate or if multiple distribution points are present in the client certificate, make sure other than LDAP type scheme succeeds before hitting LDAP CRLDP.

Fix Information

The system now parses LDAP type CRLDP URL correctly, so after upgrading, CRLDP authentication now works as expected.

Behavior Change