Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.4.1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3
Fixed In:
11.5.0, 11.4.1 HF3
Opened: Nov 19, 2013 Severity: 2-Critical
When an empty client certificate is received, sometimes client does not send any certificate verify message, so the BIG-IP system waits for certificate verify message until timeout.
The system waits for certificate verify message until timeout.
When an empty client certificate message is sent by client and client does not send certificate verify message.
None.
Now, when an empty client certificate is received, the system clientssl ignores Certificate Verify message. Also, when an empty Certificate Verify message is received, but the Client Certificate is valid, the system sends an Alert with decode error. This is correct behavior.