Bug ID 1071269: SSL C3D enhancements introduced in BIG-IP version 16.1.3 will not be available in 17.0.0.

Last Modified: Dec 07, 2023

Affected Product(s):
BIG-IP Install/Upgrade, LTM(all modules)

Fixed In:

Opened: Jan 05, 2022

Severity: 4-Minor


The SSL C3D enhancements and features were introduced in BIG-IP version 16.1.3. If the feature is enabled in 16.1.3 and you upgrade to version 17.0.0, all of the following SSL C3D features will not be available, and the upgrade will fail: - SSL C3D ability to convert RDN values to PrintableString or UTF-8 encoding. - SSL C3D ability to modify CN in forged client certificate subject. - SSL C3D ability to add custom SAN extension to the forged client certificate. - SSL C3D ability to add AKI extension to the forged client certificate.


Upgrade fails. You are unable to use any SSL C3D enhancements and features.


In the following conditions: 1. The BIG-IP config in 16.1.3 uses any of the two new iRules namely 'SSL::c3d subject' and 'X509::subject <cert> commonName'. 2. Upgrading to BIG-IP version 17.0.0


Workaround 1: Remove any config that had the SSL C3D feature enabled and caused the upgrade failure. Workaround 2: If you require C3D features, upgrade to a release that supports them.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips