For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

action_-'s avatar
action_-
Icon for Altostratus rankAltostratus
Jun 14, 2019

Client cert auth, more than advertised CA filtering?

We currently use client cert auth using smart cards at my organization. There is a push to move from one CA's certificates to another CA's certificates. There are 3 certificates on each smart card, o...
application delivery
BIG-IP Access Policy Manager (APM)
LTM
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Jun 14, 2019

you Should request the IETF to add such filter in tls specifications...

 

in tls 1.2, section 7.4.4, the certificate request message structure is the following

 

struct {

ClientCertificateType certificate_types<1..2^8-1>;

SignatureAndHashAlgorithm

supported_signature_algorithms<2^16-1>;

DistinguishedName certificate_authorities<0..2^16-1>;

} CertificateRequest;

 

F5 can’t send client more information than described in this message

  • action_-'s avatar
    action_-
    Icon for Altostratus rankAltostratus
    Jun 14, 2019

    Thank you for your answer and the reference.

     

    I'll have to report back up the chain that we can't restrict what the server requests for client cert any more granularly than the advertised CA.