Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4
Fixed In:
11.6.1 HF2
Opened: Oct 14, 2016 Severity: 2-Critical Related Article:
K20488861
After upgrading to 11.6.1 HF1, CRLDP authentication stopped working. It can be seen from following sample log that the URL is not parsed correctly: warning apd[15314]: 0149015e:4: fc98d22d: CRLDP Auth agent: CRL lookup failed for LDAP url 'ldap::::389//crl.certificate.../..../certificaterevocationlist?certificateRevocationList' reason 'Invalid CRLDP URL.
Users may fail access policy evaluation when client certification is used.
The problem occurs only when LDAP type CRLDP is available in the client certificate and it is used from the CRL Distribution Points list.
Configure other than LDAP type distribution points in the Certificate or if multiple distribution points are present in the client certificate, make sure other than LDAP type scheme succeeds before hitting LDAP CRLDP.
The system now parses LDAP type CRLDP URL correctly, so after upgrading, CRLDP authentication now works as expected.