Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.2.1, 11.3.0, 11.4.0, 11.4.1
Fixed In:
11.4.1 HF9, 11.2.1 HF16
Opened: Mar 03, 2014 Severity: 2-Critical Related Article:
K76313281
When using ClientSSL, client certificate authentication may fail, if client certificate authentication is set to 'request' or 'require'.
SSL/TLS connections fail to establish for some clients on virtual servers that request or require client certificates.
This occurs when the following conditions are met: -- A ClientSSL profile exists on the virtual server. -- The ClientSSL profile is configured with client certificate authentication set to 'request' or 'require.' -- The client responds with a certificate signed by one of the following affected signature algorithms: SHA256-RSA(0x0401), SHA384-RSA(0x0501), or SHA512-RSA(0x0601).
None
Unsupported SHA algorithms have been removed, so SSL/TLS client certificate verification completes successfully.