Last Modified: Jan 07, 2026
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3, 17.5.0, 17.5.1, 17.5.1.2, 17.5.1.3, 21.0.0
Opened: Jan 07, 2026 Severity: 3-Major
Virtual server's 'serverssl-use-sni' setting does not work when virtual server has HTTP2 profile attached on the client-side and HTTP profile on the server-side.
Incorrect serverssl profile might be selected when establishing server-side connection.
HTTP2 to HTTP gateway config with 'serverssl-use-sni' option enabled.
iRule can be used to select the profile based on presented SNI, for example: when CLIENTSSL_CLIENTHELLO { binary scan [SSL::extensions -type 0] @9a* sni log local0. "SNI: $sni" } when SERVER_CONNECTED { switch -glob [string tolower $sni] { "foo.com" { SSL::profile foo-serverssl } "bar.com" { SSL::profile bar-serverssl } } }
None