Last Modified: May 05, 2026
Affected Product(s):
BIG-IP LTM, SSLO, TMOS
Fixed In:
17.5.1.6
Opened: Dec 23, 2025 Severity: 3-Major
To conform to Certification Requirements specified in the FIPS 140-3, Common Criteria, and SSL/TLS Inspection Proxy (STIP) standards, the following validations to temporarily-issued (i.e. forged) certificates are added: 1. notBefore field test: If the established server certificate's notBefore time precedes the current time as well as the notBefore field of the CA certificate, then the forged certificate should have a notBefore value that does not precede the current time (except, perhaps, by a small amount). 2a. notAfter field test: IF the following hold, based upon the maximum duration specified in the configuration: (i). The notAfter field of the CA certificate does not exceed the current time by more than the maximum duration, AND (ii). The notAfter field of the server certificate exceeds the current time by more than the maximum duration, THEN: The notAfter field in the forged certificate should not exceed that in the CA certificate. 2b. notAfter field test: IF the following hold, based upon the maximum duration specified in the configuration: (i) The notAfter field of the CA certificate exceeds the current time by more than the maximum duration, AND (ii). The notAfter field of the server certificate exceeds the notAfter field in the CA certificate by more than the maximum duration, THEN: The notAfter field in the forged certificate should not exceed the maximum duration. 2c. notAfter field test: If the notAfter field in the server certificate precedes both that in the CA certificate as well as the (current time + maximum duration), then the notAfter field in the forged certificate should not exceed that in the server certificate.
This change is only for BigIP TMOS, in particular the newer versions starting BigIP17.5.x being newly certified to conform to STIP standards. Existing TMOS versions, configured in CC/FIPS/STIP modes, will continue to ignore the absent validations but these are already certified and will not be impacted. There is no impact on BigIP device that are not in FIPS / CC / STIP mode(s).
-- The BIG-IP device should necessarily be in CC/FIPS/STIP mode -- Forward Proxy should be enabled -- TLS/SSL profile is configured for forward proxy, along with a front-end client and a back-end server. The back-end server will also contain an issuer (i.e., CA) certificate that issued its own (server) certificate.
None, in CC/FIPS/STIP modes. Not applicable to devices not configured in any of the aforementioned modes.
CC/FIPS/STIP certification validations have been added to notBefore and notAfter dates in BIG-IP temporarily-issued (i.e. forged) certificates for Forward Proxy configurations.