Client Certificate Validation by Subject

Thanks hoolio, I will open a case with F5 but have little faith as they usually send me right back to DevCentral if it is not a hardware issue. I will let you know the outcome.

 

 

Nitass, I am not sure how to create the certificate with blank subject field in openssl. I actually stumbled on this issue by accident as I never thought you could have a certificate with blank subject field but I guess you can. In my initial testing of my iRule I just grabbed the first certificate I had in my machine certificate store with the Client Authentication role and it happened to be one issued via auto-enrollment by Microsoft Certificate Authority for the purpose of machine level authentication for a different process. I wouldn't have pursued the anomaly if the connection was rejected but I guess iRule validation fails on TCL error. This appears to be a dangerous exploit and that is why I wanted to find the reason for it and a solution to the obvious security problem.

 

 

I can send you the certificate, key and trusted root chain in a separate email if you provide your contact details. Please disable CRL checking in your test configuratuion as I will revoke this certificate for understandable reasons.