Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8
Fixed In:
12.0.0, 11.6.1, 11.5.4 HF2
Opened: Apr 07, 2015 Severity: 3-Major Related Article:
K17410
RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.
When this kind of key/cert pair is configured in a Client SSL profile that is used by a virtual server, the SSL handshake to the virtual server fails.
The key cert pair type matches one of the following combinations: 1. RSA key/DSA-signed cert. 2. RSA key/ECDSA-signed cert.
Do not use this kind of 'hybrid' key/cert pair in the Client SSL profile. Instead, use the combination such as RSA key/RSA-signed cert, EC key/ECDSA-signed cert, or DSA key/DSA-signed cert.
An RSA key with DSA-signed or ECDSA-signed cert no longer fails the SSL handshake. You can now configure those in the Client SSL profile and the SSL handshake completes as expected.