Last Modified: Sep 13, 2023
Known Affected Versions:
15.1.4, 188.8.131.52, 15.1.5
17.0.0, 184.108.40.206, 220.127.116.11
Opened: Oct 22, 2021 Severity: 3-Major
Attempts to select a client-ssl profile based on the certificate subject/SAN will not work for ECDSA certificates if ECDSA cert is signed by RSA CA. Even when the SNI in the client hello matches the certificate subject/SAN, BIG-IP selects the default client SSL profile.
The desired client-ssl profile is not selected for ECDSA hybrid certificates when the SNI matches the certificate subject/SAN.
-- ECDSA certificate signed by RSA CA. -- Client SSL profile does not have "server name" option configured.
Do not use hybrid certificates or configure the "server name" option in the client-ssl profile matching SNI.