Bug ID 451003: SSL/TLS client certificate verification may fail due to SHA algorithms that are advertised but not supported

Last Modified: Apr 28, 2025

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.2.1, 11.3.0, 11.4.0, 11.4.1

Fixed In:
11.4.1 HF9, 11.2.1 HF16

Opened: Mar 03, 2014

Severity: 2-Critical

Related Article: K76313281

Symptoms

When using ClientSSL, client certificate authentication may fail, if client certificate authentication is set to 'request' or 'require'.

Impact

SSL/TLS connections fail to establish for some clients on virtual servers that request or require client certificates.

Conditions

This occurs when the following conditions are met: -- A ClientSSL profile exists on the virtual server. -- The ClientSSL profile is configured with client certificate authentication set to 'request' or 'require.' -- The client responds with a certificate signed by one of the following affected signature algorithms: SHA256-RSA(0x0401), SHA384-RSA(0x0501), or SHA512-RSA(0x0601).

Workaround

None

Fix Information

Unsupported SHA algorithms have been removed, so SSL/TLS client certificate verification completes successfully.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips