Bug ID 967093: In SSL forward proxy when the signing CA cert and end-entity cert has a different signature algorithm, the SSL connection may fail

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1

Fixed In:
17.0.0, 15.1.5

Opened: Nov 24, 2020
Severity: 3-Major

Symptoms

In SSL forward proxy, the client side handshake may fail with the message: fwdp lookup error.

Impact

SSL forward proxy handshake fails.

Conditions

The handshake failure occurs when the certificate chain consists of different key types. For example, the following cert chain may fail the handshake: root CA (rsa) --> intermediate CA1 (rsa) --> intermediate CA2 (ec) --> end-entity cert (ec) The signing CA which is intermediate CA2 has a key of EC type, but cert is signed by RSA signature. The end-entity cert has a key of EC type, but cert is signed by ECDSA. In this case, the signer cert has different signature from that of the end-entity cert.

Workaround

None

Fix Information

Fixed an issue with SSL forward handshakes.

Behavior Change