Bug ID 504815: Certificate chain verification is not working correctly on server SSL profile

Last Modified: Mar 17, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3

Fixed In:
12.0.0

Opened: Feb 04, 2015
Severity: 2-Critical

Symptoms

Handshake failures during certificate chain verification.

Impact

SSL handshake failures: BIG-IP system does not respond to server hello done with IIS. This occurs because the 'Server Hello', 'Certificate', 'Server Key Exchange', 'Certificate Request' and 'Server Hello Done' are all in single SSL record, which does not trigger the next state and the operation stalls.

Conditions

-- Using Internet Information Services (IIS) for Windows Server. -- The ca-file is set to root CA. -- Configured with DHE, ECDHE ciphersuite, or client auth (anything except the RSA-based key transport suite), such as AES128-SHA.

Workaround

Add intermediate certificates.

Fix Information

The BIG-IP system now iterates through all certificates in a chain, so handshake failures no longer occur under these conditions.

Behavior Change