Bug ID 744685: BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension

Last Modified: Feb 26, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 14.1.0, 14.1.0.1

Fixed In:
14.1.0.2, 13.1.1.4

Opened: Sep 20, 2018
Severity: 2-Critical

Symptoms

An intermediate CA certificate should be considered invalid if the certificate does not contain both "Basic Constraints: critical" and "CA:TRUE" in its extension. BIG-IP does not enforce this.

Impact

The system might unexpectedly accept the SSL connection while the peer is using an inappropriate certificate.

Conditions

The SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop.

Workaround

None

Fix Information

With the fix, if the SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the SSL handshake if the peer's CA certificate does not contain both "Basic Constraints: critical" and "CA:TRUE" in its extension.

Behavior Change

When authenticating a peer's SSL certificate, we require a CA certificate to have the "Basic Constraints" and "CA:True" in its extension, like this: X509v3 Basic Constraints: critical CA:TRUE If an SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, we will drop the handshake if the peer's CA certificate does not satisfy the above requirement.