Bug ID 1056741: ECDSA certificates signed by RSA CA are not selected based by SNI.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1

Fixed In:
17.0.0, 16.1.2.2, 15.1.5.1

Opened: Oct 22, 2021
Severity: 3-Major

Symptoms

Attempts to select a client-ssl profile based on the certificate subject/SAN will not work for ECDSA certificates if ECDSA cert is signed by RSA CA. Even when the SNI in the client hello matches the certificate subject/SAN, BIG-IP selects the default client SSL profile.

Impact

The desired client-ssl profile is not selected for ECDSA hybrid certificates when the SNI matches the certificate subject/SAN.

Conditions

-- ECDSA certificate signed by RSA CA. -- Client SSL profile does not have "server name" option configured.

Workaround

Do not use hybrid certificates or configure the "server name" option in the client-ssl profile matching SNI.

Fix Information

N/A

Behavior Change