Last Modified: Nov 07, 2022
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3
Fixed In:
13.1.0, 13.0.1, 12.1.3
Opened: Feb 10, 2017 Severity: 3-Major
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain including the self-signed certificate. Many of the self-signed certificates use the SHA1 hash algorithm, which is not acceptable to many sites. The SSL handshake may be rejected.
Forged certificate with SHA1 hash algorithm may be rejected during SSL handshake and the SSL handshake will then fail.
This may occur when SSL Forward Proxy is in use.
None.
In this release, the system excludes self-signed certificates in hash algorithm selection (which is correct behavior). This may prevent forged certificate from using SHA1 hash algorithm