Bug ID 1087469: iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate.

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM, SSLO(all modules)

Known Affected Versions:
17.0.0, 16.1.2.2, 16.1.2.1, 15.1.5.1, 15.1.5

Fixed In:
17.1.0, 16.1.3.1, 15.1.6.1

Opened: Mar 16, 2022

Severity: 2-Critical

Symptoms

When an SSL client connects to BIG-IP system and sends an empty certificate, the CLIENTSSL_CLIENTCERT is not triggered for iRules.

Impact

CLIENTSSL_CLIENTCERT irules aren't triggered.

Conditions

- Virtual server configured on BIG-IP with a clientssl profile - Client authentication on the virtual server is set to "request" - iRule relying on CLIENTSSL_CLIENTCERT - A client connects to BIG-IP using an empty certificate

Workaround

None

Fix Information

CLIENTSSL_CLIENTCERT irules are now triggered when receiving empty certificates.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips