Bug ID 744685: BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.1.0, 14.1.0.1

Fixed In:
14.1.0.2, 13.1.1.4

Opened: Sep 20, 2018
Severity: 2-Critical

Symptoms

An intermediate CA certificate should be considered invalid if the certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension. The BIG-IP system does not enforce this.

Impact

The system might unexpectedly accept the SSL connection while the peer is using an inappropriate certificate.

Conditions

The SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop.

Workaround

None.

Fix Information

With this fix, if the SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the SSL handshake if the peer's CA certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension.

Behavior Change

When authenticating a peer's SSL certificate, the system requires a CA certificate to have the 'Basic Constraints' and 'CA:True' in its extension, like this: X509v3 Basic Constraints: critical CA:TRUE If an SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the handshake if the peer's CA certificate does not satisfy this requirement.