Bug ID 1013181: TMM may produce core when dynamic CRL check is enabled on the client SSL profile

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM, LTM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2

Fixed In:
16.1.0, 15.1.5

Opened: Apr 21, 2021

Severity: 2-Critical

Symptoms

Possible tmm crash during ssl handshake with client SSL virtual server when dynamic CRL check is used.

Impact

Traffic disrupted while tmm restarts.

Conditions

All these 3 conditions need to be met. - Client Certificate is set to "request" on the client SSL profile or using APM "On-Demand Cert Auth" agent set to "request". - Dynamic CRL check is configured on the client SSL profile. - Client does not submit its client certificate to the virtual server.

Workaround

- Configure Client Certificate "require" on the client SSL profile or, if using APM "On-Demand Cert Auth" agent, configure it to "require". or - Disable Dynamic CRL check. You can use static CRL file on the client SSL profile instead.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips