Last Modified: Sep 24, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
12.1.6, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5
Opened: May 12, 2021 Severity: 3-Major
Wildcard server-name does not match multiple labels in FQDN for example: *.domain.com matches a.domain.com or a.bc.domain.com, but it does not match domain.com but here multiple labels(a.bc.domain.com) are not matched to the wildcard (*.domain.com).
Generates default profile/certificate when trying to match with multiple labels using wildcard, when it should generate correct certificate matched to the wildcard in server name.
Client-ssl is configured with a wildcard server-name with the virtual server configured with multiple client-ssl profiles. The correct ssl profile (and therefore certificate) is chosen based on SNI from the client Hello.
Add additional SAN values to the certificate with the relevant second-level domain elements, for example: When serving "site.test.example.com" using a certificate that matches just *.example.com, add a second SAN element to the certificate of *.test.example.com
None