The BIG-IP Core implementation must be configured to validate certificates used for TLS functions for connections to virtual servers by constructing a certification path (which includes status information) to an accepted trust anchor.

From F5 BIG-IP Local Traffic Manager 11.x Security Technical Implementation Guide

Part of SRG-NET-000164-ALG-000100

Associated with: CCI-000185

SV-74735r1_rule The BIG-IP Core implementation must be configured to validate certificates used for TLS functions for connections to virtual servers by constructing a certification path (which includes status information) to an accepted trust anchor.

Vulnerability discussion

A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, the top entity to be trusted is the "root certificate" or "trust anchor" such as a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted.Deploying the ALG with TLS enabled may require the CA certificates for each proxy to be used for TLS traffic decryption/encryption. The installation of these certificates in each trusted root certificate store is used by proxied applications and browsers on each client.

Check content

If the BIG-IP Core does not provide intermediary services for TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS) for virtual servers, this is not applicable. When intermediary services for TLS are provided, verify the BIG-IP Core is configured to validate certificates used for TLS functions by constructing a certification path to an accepted trust anchor. Navigate to the BIG-IP System manager >> Local traffic >> Profiles >> SSL >> Server. Select a FIPS-compliant profile. Review the configuration under "Server Authentication" section. Verify "Server Certificate" is set to "Required". Verify "Trusted Certificate Authorities" is set to a DoD-approved CA bundle. If the BIG-IP Core is not configured to validate certificates used for TLS functions by constructing a certification path to an accepted trust anchor, this is a finding.

Fix text

If intermediary services for TLS are provided, configure the BIG-IP Core to validate certificates used for TLS functions by constructing a certification path with status information to an accepted trust anchor.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer