Bug ID 1071269: SSL C3D enhancements introduced in BIG-IP version 16.1.3 will not be available in 17.0.0.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade, LTM(all modules)

Known Affected Versions:
16.1.0, 16.1.1, 16.1.2,,

Fixed In:

Opened: Jan 05, 2022
Severity: 4-Minor


The SSL C3D enhancements and features were introduced in BIG-IP version 16.1.3. If the feature is enabled in 16.1.3 and you upgrade to version 17.0.0, all of the following SSL C3D features will not be available, and the upgrade will fail: - SSL C3D ability to convert RDN values to PrintableString or UTF-8 encoding. - SSL C3D ability to modify CN in forged client certificate subject. - SSL C3D ability to add custom SAN extension to the forged client certificate. - SSL C3D ability to add AKI extension to the forged client certificate.


Upgrade fails. You are unable to use any SSL C3D enhancements and features.


In the following conditions: 1. The BIG-IP config in 16.1.3 uses any of the two new iRules namely 'SSL::c3d subject' and 'X509::subject <cert> commonName'. 2. Upgrading to BIG-IP version 17.0.0


Workaround 1: Remove any config that had the SSL C3D feature enabled and caused the upgrade failure. Workaround 2: If you require C3D features, upgrade to a release that supports them.

Fix Information


Behavior Change