Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1
Fixed In:
14.0.0, 13.1.1.2, 12.1.3.7
Opened: Jan 04, 2018 Severity: 3-Major
The last few bytes of a very large-sized Client Certificate (typically greater than 16,384 bytes) are not cached correctly if the certificate is received fragmented by the SSL Session ID (SSID) parser.
The client certificate is not stored on the BIG-IP device correctly. The last few bytes are missing.
-- Client Authentication is enabled. -- A very large Client Certificate is supplied (typically greater than 16,384 bytes). -- SSL Session ID Persistence is enabled. -- The iRule CLIENTSSL_CLIENTCERT is enabled.
Disable the CLIENTSSL_CLIENTCERT iRule when SSL Session ID (SSID) persistence is in use. Even though the Client Certificate does not get cached, that is preferable to caching an incorrect client certificate.
This release supports caching of fragmented client certificates in the SSL Session ID (SSID) persistence feature to properly cache very large-size client certificates (typically exceeding 16,384 bytes).