Bug ID 644418: Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3

Fixed In:
13.1.0, 13.0.1, 12.1.3

Opened: Feb 10, 2017

Severity: 3-Major

Symptoms

SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain including the self-signed certificate. Many of the self-signed certificates use the SHA1 hash algorithm, which is not acceptable to many sites. The SSL handshake may be rejected.

Impact

Forged certificate with SHA1 hash algorithm may be rejected during SSL handshake and the SSL handshake will then fail.

Conditions

This may occur when SSL Forward Proxy is in use.

Workaround

None.

Fix Information

In this release, the system excludes self-signed certificates in hash algorithm selection (which is correct behavior). This may prevent forged certificate from using SHA1 hash algorithm

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips