Bug ID 638967: SSL Forward Proxy not to cache forged certificate if soft_vfyresult indicating an 'untrusted CA' or 'expired cert'

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Fixed In:
13.1.0, 13.0.0 HF1

Opened: Jan 12, 2017

Severity: 3-Major

Symptoms

The system caches a forged certificate when Forward Proxy (FWDP) server-side soft_vfyresult shows an untrusted CA or an expired cert. There is no method of overriding that behavior.

Impact

No method to override the caching behavior.

Conditions

Using FWDP. Server-side soft_vfyresult shows an untrusted CA or an expired cert.

Workaround

None.

Fix Information

In this release, you can configure SSL forward proxy to not cache the forged certificate on the client side if the server-side SSL enables the sys db variable tmm.ssl.servercert_softval and the backend server certificate soft verify_result showing a 'untrusted CA' or 'expired certificate'.

Behavior Change

In this release, you can configure SSL forward proxy to not cache the forged certificate on the client side if the server-side SSL enables the sys db variable tmm.ssl.servercert_softval and the backend server certificate soft verify_result showing a 'untrusted CA' or 'expired certificate'.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips