Bug ID 499478: Bug 464651 introduced change-in-behavior for SSL server cert chains by not including the root certificate

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.4.1, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.4 HF3, 11.4.1 HF9

Opened: Jan 05, 2015

Severity: 3-Major

Related Article: K16850453


Bug 464651 fixed a loop issue that occurred when building a certificate chain caused by an invalid configuration in certificates. That fix unintentionally excluded the root certificate in the chain. While it is still a valid certificate chain, it does result in a change-in-behavior issue that is unacceptable in certain cases.


In some instances, the root certificate must be included in the certificate chain. In other cases, the certificate validation fails.


This occurs in versions containing the fix for Bug 464651 (11.4.1, 11.5.4).



Fix Information

This fix restores the previous behavior by including the root certificate in the chain.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips