For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Zebra_131802's avatar
Zebra_131802
Icon for Nimbostratus rankNimbostratus
Oct 17, 2013

Machine Certificate Check Behavior Change in APM 11.4

I have been doing some testing on 11.3 to check machine certificate before initiating SSL VPN, everything works nicely. I then tried the same config using the same testing machine with the same certificate, it failed miserably on 11.4.0 and with the latest HF3.

 

Not sure what is going on, when I checked the report, it just showed that it followed the fallback path to DENY. It did not even find the certificate as there is a branch of "Found". When I checked session variable, it was just blank. I have wasted two days on this and not going anywhere.

 

Has anyone got 11.4.0 working with windows machine cert check?

 

THanks

 

7 Replies

  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Oct 17, 2013

    Hi,

     

    Yes, just did it this morning with 11.4.1. My configuration is simple :

     

    • SSL client profile with trusted CA et CRL
    • APM policy with On Demand Cert Auth and parameter on Requested.

    How is your APM VPE set ?

     

  • Zebra_131802's avatar
    Zebra_131802
    Icon for Nimbostratus rankNimbostratus
    Oct 17, 2013

    Thanks for the reply. Thought On Demand cert Auth only checks user certs, you need Machine Cert Auth? My one is really simple start with

     

    |Machine Cert Auth| --- |Logon Page|

     

    Can't even get the logon page. Same config on a 11.3 VM running in parallel what works nicely.

     

  • Zebra_131802's avatar
    Zebra_131802
    Icon for Nimbostratus rankNimbostratus
    Oct 17, 2013

    Looked closely into the Machine Cert Auth Box there is tiny difference with the successful branch

     

    11.3 default expr { [mcget {session.windows_check_machinecert.last.result}] == 1 }

     

    11.4 default expr { [mcget {session.check_machinecert.last.result}] == 1 }

     

    Tried to copy the variable from 11.3 to 11.4, the system did not recognize it.

     

  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Oct 17, 2013

    Sorry, I thought client cert, not machine cert. Let me check if something change (except the variable).

     

  • vandenhoutenp_9's avatar
    vandenhoutenp_9
    Icon for Nimbostratus rankNimbostratus
    May 08, 2014

    Hi Zebra,

     

    Do you have the details around how this has been fixed and in which release?

     

    Thanks

     

    Peter

     

  • amolari's avatar
    amolari
    Icon for Cirrostratus rankCirrostratus
    May 08, 2014

    AFAIK to get in the FOUND branch has never been an issue, with any release. For the Successful branch it has been a long time an issue until recently (thanks to the machine certificate check service, from v11.4 i believe). Until that time, the answer from F5 was "change your permissions on the machine certificate/key if you need to verify the private key". Any financial or gov in F5's customers' list? :-D