Bug ID 967093: In SSL forward proxy when the signing CA cert and end-entity cert has a different signature algorithm, the SSL connection may fail

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Fixed In:
17.0.0, 15.1.5

Opened: Nov 24, 2020

Severity: 3-Major

Symptoms

In SSL forward proxy, the client side handshake may fail with the message: fwdp lookup error.

Impact

SSL forward proxy handshake fails.

Conditions

The handshake failure occurs when the certificate chain consists of different key types. For example, the following cert chain may fail the handshake: root CA (rsa) --> intermediate CA1 (rsa) --> intermediate CA2 (ec) --> end-entity cert (ec) The signing CA which is intermediate CA2 has a key of EC type, but cert is signed by RSA signature. The end-entity cert has a key of EC type, but cert is signed by ECDSA. In this case, the signer cert has different signature from that of the end-entity cert.

Workaround

None

Fix Information

Fixed an issue with SSL forward handshakes.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips