Bug ID 1093313: CLIENTSSL_CLIENTCERT iRule event is not triggered for TLS1.3 when the client sends an empty certificate response

Last Modified: Sep 30, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,, 17.0.0,

Opened: Apr 01, 2022
Severity: 3-Major


When an SSL client connects to the BIG-IP system using TLS 1.3 and sends an empty certificate, the CLIENTSSL_CLIENTCERT iRule event is not triggered.


CLIENTSSL_CLIENTCERT irules aren't triggered.


-- Virtual server configured on BIG-IP with SSL and iRule added -- Client authentication for client certificates is set to "request" -- iRule relying on CLIENTSSL_CLIENTCERT -- A client connects to BIG-IP using TLSv1.3 protocol without a certificate(empty certificate)



Fix Information


Behavior Change

CLIENTSSL_CLIENTCERT iRules are now triggered when an SSL client connects to BIG-IP with TLS1.3 and sends an empty certificate message.