Last Modified: Sep 13, 2023
Known Affected Versions:
13.1.0, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168
22.214.171.124, 12.1.2 HF1
Opened: Mar 23, 2017 Severity: 3-Major
The default CA certificate bundle file used by the system contains some older certificates, e.g., expired or soon-to-be expired.
When the built-in trusted certificates are obsolete, i.e., containing a certain number of expired certificates, the systems might fail to verify peers certificate correctly.
If the default CA certificate bundle file is configured in SSL profiles, it is used as a set of built-in trusted certificates when verifying peer's certificate during SSL handshake.
You can either directly update the default CA certificate bundle file /config/ssl/ssl.crt/ca-bundle.crt with proper certificates and then 'bigstart restart tmm' Alternatively, you can use a separate certificate, for example: tmsh install sys crypto cert better_ca_bundle from-local-file /shared/better_ca_bundle.pem tmsh modify ltm profile client-ssl cssl ca-file better_ca_bundle.crt
This release updates the default CA certificate bundle file by adding the latest certificates and removing the expired certificates.