Bug ID 438385: Empty client certificate or empty certificate does not return verify message.

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.4.1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4

Fixed In:
11.5.0, 11.4.1 HF3

Opened: Nov 19, 2013
Severity: 2-Critical

Symptoms

When an empty client certificate is received, sometimes client does not send any certificate verify message, so the BIG-IP system waits for certificate verify message until timeout.

Impact

The system waits for certificate verify message until timeout.

Conditions

When an empty client certificate message is sent by client and client does not send certificate verify message.

Workaround

None.

Fix Information

Now, when an empty client certificate is received, the system clientssl ignores Certificate Verify message. Also, when an empty Certificate Verify message is received, but the Client Certificate is valid, the system sends an Alert with decode error. This is correct behavior.

Behavior Change