Bug ID 626594: No way to perform a soft server certificate verification

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0

Fixed In:
13.1.0, 13.0.0 HF1

Opened: Nov 02, 2016

Severity: 3-Major

Symptoms

There is no way to perform a soft server certificate verification.

Impact

No way to perform a soft server certificate verification and continue the handshake as though the verification is OK, even if it is not OK.

Conditions

Server-side SSL forward proxy when 'server certificate is set to 'require' and 'untrusted CA response control' and 'expired certificate response control' are both set to 'ignore'.

Workaround

None.

Fix Information

There is a new sys db variable: tmm.ssl.servercert_softval with default value 'disabled'. When this sys db variable is 'enabled', calling SSL::verify_result will return a soft verfiy_result value. Typical use case: It is used in the server-side SSL forward proxy when 'server certificate is set to 'require' and 'untrusted CA response control' and 'expired certificate response control' are both set to 'ignore' but would like to perform a soft server certificate verification.

Behavior Change

There is a new sys db variable: tmm.ssl.servercert_softval with default value 'disabled'. When this sys db variable is 'enabled', calling SSL::verify_result will return a soft verfiy_result value. Typical use case: It is used in the server-side SSL forward proxy when 'server certificate is set to 'require' and 'untrusted CA response control' and 'expired certificate response control' are both set to 'ignore' but would like to perform a soft server certificate verification.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips