Bug ID 499478: Bug 464651 introduced change-in-behavior for SSL server cert chains by not including the root certificate

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.4.1, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.4 HF3, 11.4.1 HF9

Opened: Jan 05, 2015
Severity: 3-Major
Related AskF5 Article:


Bug 464651 fixed a loop issue that occurred when building a certificate chain caused by an invalid configuration in certificates. That fix unintentionally excluded the root certificate in the chain. While it is still a valid certificate chain, it does result in a change-in-behavior issue that is unacceptable in certain cases.


In some instances, the root certificate must be included in the certificate chain. In other cases, the certificate validation fails.


This occurs in versions containing the fix for Bug 464651 (11.4.1, 11.5.4).



Fix Information

This fix restores the previous behavior by including the root certificate in the chain.

Behavior Change