Bug ID 810533

Bug Tracker
ID 810533

Bug ID 810533: SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.0.8, 13.1.0.7, 13.1.0.6, 12.1.5, 12.1.4.1, 12.1.4, 12.1.3.7, 12.1.3.6

Fixed In:
16.0.0, 14.1.2.7

Opened: Jul 29, 2019

Severity: 3-Major

Symptoms

When the client attempts to connect, even when sending the proper SNI extension, the BIG-IP system resets the connection after the client hello.

Impact

SSL connections with valid SNI are closed, and the client cannot connect. With generic alerts enabled, you will see 'SSL alert number 40'. This is because the system does not read the server names from the SAN extension within the certificate.

Conditions

-- SNI Required set to true. -- No Server Name configured in the client SSL profile.

Workaround

Specify a valid server name in the server name field of the client SSL profile.

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips