Bug ID 1056741: ECDSA certificates signed by RSA CA are not selected based by SNI.

Last Modified: Dec 07, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
15.1.4,, 15.1.5

Fixed In:

Opened: Oct 22, 2021

Severity: 3-Major


Attempts to select a client-ssl profile based on the certificate subject/SAN will not work for ECDSA certificates if ECDSA cert is signed by RSA CA. Even when the SNI in the client hello matches the certificate subject/SAN, BIG-IP selects the default client SSL profile.


The desired client-ssl profile is not selected for ECDSA hybrid certificates when the SNI matches the certificate subject/SAN.


-- ECDSA certificate signed by RSA CA. -- Client SSL profile does not have "server name" option configured.


Do not use hybrid certificates or configure the "server name" option in the client-ssl profile matching SNI.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips