The F5 BIG-IP appliance must not use the On-demand Cert Auth VPE agent as part of the APM Policy Profiles.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266166 | F5BI-AP-300155 | SV-266166r1111861_rule | Medium |
| Description |
| By requiring mutual authentication before any communication, it becomes significantly challenging for attackers to impersonate a client or server and exploit vulnerabilities. Furthermore, the encryption of all data transmitted between the client and server ensures that even if an attacker intercepts the data, it remains unintelligible without the correct keys. To ensure the use of the mTLS for session authentication, do not use the On-Demand Cert Auth VPE agent. Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. However, if On-Demand is configured, the client SSL profile skips the initial SSL handshake, an On-Demand Cert Auth action can re-negotiate the SSL connection from an access policy by sending a certificate request to the user. This prompts a certificate screen to open. Setting ODCA to "require" the client cert means the client cannot get any farther in the APM VPE without providing a valid certificate. "Request" would ask the client for a certificate, but the client could still continue if they did not provide one. Thus, the Client Certificate must be set to "require" in the client SSL profile since just removing ODCA from the VPE alone will result in the client never getting prompted for a certificate. Within the Virtual Policy Editor (VPE) of the relevant Access Profile, do not use the On-Demand Cert Auth VPE agent. Configure only the Client Certification Inspection VPE Agent. This adjustment directs the BIG-IP to scrutinize the Client Certificate during the mTLS handshake process and extract the certificate's details into APM session variables. |
| STIG | Date |
| F5 BIG-IP TMOS ALG Security Technical Implementation Guide | 2025-06-09 |
Details
| Check Text (C-70090r1024849_chk) |
| From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Verify the On-Demand Cert Auth agent is not configured in any part of the profile. If the On-Demand Cert Auth agent is used in any Access Policy Profile, this is a finding. |
| Fix Text (F-69993r1111860_fix) |
| From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Remove any "On-Demand Cert Auth" agents in the profile. 6. Add a "Client Cert Inspection" object in place of the previous "On Demand Cert Auth" agent. 7. Click "Apply Access Policy". Note: Since use of this setting represent a risk to the DOD requirement for mutual authentication (see vulnerability discussion), if applications that use this function are mission essential, then AO approval is required, and use must be documented. |