Last Modified: Apr 11, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Opened: Sep 03, 2014 Severity: 3-Major
The Expire Certificate Response Control setting in the Server SSL profile is not honored.
The BIG-IP system fails to drop the expired SSL certificate. This is expected behavior.
This issue occurs when all of the following conditions are met: A virtual server with an associated Secure Sockets Layer (SSL) pool member is configured with an SSL server profile to request a server certificate. The SSL server is serving data with an expired certificate, and certificate is not trusted by the BIG-IP system. The SSL server profile specifies that the system should not drop the connection if the certificate is untrusted. The SSL server profile specifies that the system should drop the connection if the certificate has expired.
Although this is expected behavior, you can avoid the issue by not using expired certificates on your SSL server, or by using the trusted certificates.
None