Last Modified: Apr 17, 2024
Affected Product(s):
BIG-IP APM
Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4
Opened: Jan 22, 2019 Severity: 3-Major
Setting the On Demand Cert Auth Modeoption to 'Require' in a per-request policy causes the browser to spin if no certificate is provided.
The browser does not receive a response for one or more minutes, until you get RST. tmm logs shows messages similar to the following: [C] 172.31.68.130:582 -> 172.31.73.74:443:ERR_NOT_FOUND: access2 token not found; subsession might be inactive
-- In a Per Request Policy, set On Demand Cert Auth to Require. -- Client SSL Profile as: -- LTM client SSL profile configured similar to the following: ltm profile client-ssl /Common/test_clientssl_ignore { ca-file /Common/BACKEND_ROOT client-cert-ca /Common/BACKEND_ROOT inherit-ca-certkeychain true inherit-certkeychain true peer-cert-mode ignore } -- Virtual server containing the client SSL profile and Per Request Policy. -- Navigate to the virtual server using a browser that has no client certificate. -- Press F5 (Refresh) after receiving the RST.
The client browser must have a valid SSL certificate for the BIG-IP system to pass on demand certificate authentication in a per-request policy and avoid a delayed RST. Setting the Auth Mode to Require should only be used if the client provides a client certificate.
None