Bug ID 1032949: Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2

Fixed In:
17.0.0, 16.1.2.1, 15.1.5

Opened: Jul 12, 2021
Severity: 3-Major

Symptoms

When you configure Dynamic CRL and set the client authentication as "Request", the handshake fails when clients do not supply a certificate.

Impact

SSL handshake fails

Conditions

Clientssl profile configured with the following: 1. Dynamic CRL 2. Client Authentication enabled with "Request" option

Workaround

Workaround 1: Use Static CRL Workaround2: Use Client authentication with either "Require" or "Ignore" Workaround3: Disable TLS1.2 and below versions in the Client SSL profile. Which means allow only TLS1.3 traffic.

Fix Information

N/A

Behavior Change