Bug ID 477705: ProxySSL (SplitSSL) handshake failure

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Opened: Sep 03, 2014

Severity: 3-Major


The Expire Certificate Response Control setting in the Server SSL profile is not honored.


The BIG-IP system fails to drop the expired SSL certificate. This is expected behavior.


This issue occurs when all of the following conditions are met: A virtual server with an associated Secure Sockets Layer (SSL) pool member is configured with an SSL server profile to request a server certificate. The SSL server is serving data with an expired certificate, and certificate is not trusted by the BIG-IP system. The SSL server profile specifies that the system should not drop the connection if the certificate is untrusted. The SSL server profile specifies that the system should drop the connection if the certificate has expired.


Although this is expected behavior, you can avoid the issue by not using expired certificates on your SSL server, or by using the trusted certificates.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips