Last Modified: Dec 07, 2023
BIG-IP Install/Upgrade, LTM
Opened: Jan 05, 2022 Severity: 4-Minor
The SSL C3D enhancements and features were introduced in BIG-IP version 16.1.3. If the feature is enabled in 16.1.3 and you upgrade to version 17.0.0, all of the following SSL C3D features will not be available, and the upgrade will fail: - SSL C3D ability to convert RDN values to PrintableString or UTF-8 encoding. - SSL C3D ability to modify CN in forged client certificate subject. - SSL C3D ability to add custom SAN extension to the forged client certificate. - SSL C3D ability to add AKI extension to the forged client certificate.
Upgrade fails. You are unable to use any SSL C3D enhancements and features.
In the following conditions: 1. The BIG-IP config in 16.1.3 uses any of the two new iRules namely 'SSL::c3d subject' and 'X509::subject <cert> commonName'. 2. Upgrading to BIG-IP version 17.0.0
Workaround 1: Remove any config that had the SSL C3D feature enabled and caused the upgrade failure. Workaround 2: If you require C3D features, upgrade to a release that supports them.