Last Modified: May 19, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
17.1.2, 17.1.2.1, 17.1.2.2
Opened: Jan 10, 2025 Severity: 3-Major
SSL::verify_result returns '0' when the client applies empty certificate and uses TLS 1.3
SSL::verify_result has the invalid return code of 0 (no error) when it should be 50 (X509_V_ERR_APPLICATION_VERIFICATION)
- The Client-SSL profile with peer cert mode set to 'request' - There are no client certificates - TLS1.3 is used
Check the availability of client certificates before using verify_result. ltm rule /Common/cust-iRule { when CLIENTSSL_CLIENTCERT { set cert [SSL::cert 0] if { $cert eq "" } { # no client cert log local0. "[IP::client_addr] no client certificate" } else { set verify [SSL::verify_result] if { $verify == 0 } { # allow access log local0. "[IP::client_addr] $verify:[X509::verify_cert_error_string $verify] [X509::issuer $cert] [X509::subject $cert] [X509::serial_number $cert]" } } }
None