Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.6.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.1, 11.5.4 HF2
Opened: Apr 07, 2015 Severity: 3-Major Related Article:
K17410
RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.
When this kind of key/cert pair is configured in a Client SSL profile that is used by a virtual server, the SSL handshake to the virtual server fails.
The key cert pair type matches one of the following combinations: 1. RSA key/DSA-signed cert. 2. RSA key/ECDSA-signed cert.
Do not use this kind of 'hybrid' key/cert pair in the Client SSL profile. Instead, use the combination such as RSA key/RSA-signed cert, EC key/ECDSA-signed cert, or DSA key/DSA-signed cert.
An RSA key with DSA-signed or ECDSA-signed cert no longer fails the SSL handshake. You can now configure those in the Client SSL profile and the SSL handshake completes as expected.