Bug ID 499478: Bug 464651 introduced change-in-behavior for SSL server cert chains by not including the root certificate

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.4.1, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.4 HF3, 11.4.1 HF9

Opened: Jan 05, 2015
Severity: 3-Major
Related AskF5 Article:
K16850453

Symptoms

Bug 464651 fixed a loop issue that occurred when building a certificate chain caused by an invalid configuration in certificates. That fix unintentionally excluded the root certificate in the chain. While it is still a valid certificate chain, it does result in a change-in-behavior issue that is unacceptable in certain cases.

Impact

In some instances, the root certificate must be included in the certificate chain. In other cases, the certificate validation fails.

Conditions

This occurs in versions containing the fix for Bug 464651 (11.4.1, 11.5.4).

Workaround

None.

Fix Information

This fix restores the previous behavior by including the root certificate in the chain.

Behavior Change