Last Modified: Oct 10, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6
Fixed In:
17.1.0
Opened: Mar 21, 2022 Severity: 3-Major
When a client does not present a certificate during SSL handshake and the c3d is enabled, the CLIENTSSL_CLIENTCERT iRule event is not triggered. This may lead to confusion during debugging or testing, especially when fallback certificates are configured and used.
The iRule logic relying on CLIENTSSL_CLIENTCERT may not execute when no client certificate is provided.
The client does not send a certificate during handshake. ssl-c3d is enabled, and a fallback certificate (c3d-client-fallback-cert) is configured. An iRule is present that logs or acts on CLIENTSSL_CLIENTCERT
None
CLIENTSSL_CLIENTCERT iRule events are now triggered as expected.
When SSL C3D was enabled with a fallback client certificate, the CLIENTSSL_CLIENTCERT iRule event did not fire if the client skipped sending a certificate, so any iRule tied to that event never ran. CLIENTSSL_CLIENTCERT now triggers even when no client certificate is provided, allowing the associated iRule logic to execute as expected.