Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

action_-'s avatar
action_-
Icon for Altostratus rankAltostratus
Jun 13, 2019

Client cert auth, more than advertised CA filtering?

We currently use client cert auth using smart cards at my organization. There is a push to move from one CA's certificates to another CA's certificates. There are 3 certificates on each smart card, o...
application delivery
BIG-IP Access Policy Manager (APM)
LTM
stan_piron's avatar
stan_piron
Icon for Cumulonimbus rankCumulonimbus
Jun 13, 2019

you Should request the IETF to add such filter in tls specifications...

 

in tls 1.2, section 7.4.4, the certificate request message structure is the following

 

struct {

ClientCertificateType certificate_types<1..2^8-1>;

SignatureAndHashAlgorithm

supported_signature_algorithms<2^16-1>;

DistinguishedName certificate_authorities<0..2^16-1>;

} CertificateRequest;

 

F5 can’t send client more information than described in this message

  • action_-'s avatar
    action_-
    Icon for Altostratus rankAltostratus
    Jun 14, 2019

    Thank you for your answer and the reference.

     

    I'll have to report back up the chain that we can't restrict what the server requests for client cert any more granularly than the advertised CA.