Bug ID 2141233

Bug Tracker
ID 2141233

Bug ID 2141233: Client authentication profile as "Request" in FIPS-CC mode causes connection termination without certificate

Last Modified: Dec 17, 2025

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
17.5.1.2, 17.5.1.3

Opened: Oct 29, 2025

Severity: 3-Major

Symptoms

SSL handshakes timeout instead of finishing.

Impact

SSL handshakes do not finish but instead timeout.

Conditions

1. Clientssl profile configured with Client Authentication enabled with "Request" option 2. BIG-IP is in FIPS-CC mode 3. Client does not provide a certificate or 1. Clientssl profile configured with Client Authentication enabled with "Ignore" option 2. BIG-IP is in FIPS-CC mode 3. Access Policy applied to the Virtual Server contains an OnDemand Cert Auth agent. 4. Client does not provide a certificate

Workaround

Workaround 1: Disable Client authentication. Workaround 2: Configure CRL on the Client SSL profile Workaround 3: Enable Client Certificate Constrained Delegation (c3d) feature on the SSL profiles(requires Server-SSL profile and this feature forges client cert to server upon cert request from app-server).

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips