Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 12.0.0, 12.0.0 HF1, 12.0.0 HF2
Fixed In:
12.1.0, 12.0.0 HF3, 11.6.1, 11.5.4 HF2
Opened: Oct 15, 2015 Severity: 3-Major Related Article:
K34035224
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, handshake might fail if the client sends an invalid signed Certificate Verify message.
The handshake does not ignore the invalid signed certificate verify message, and handshake might fail. SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'. Regardless of whether the Certificate and Certificate Verify message is valid, the handshake should ignore the Certificate Verify signature error and let the handshake continue.
When SSL client certificate mode is request, and the client sends an invalid signed Certificate Verify message to the BIG-IP system.
None.
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, the handshake now ignores the Certificate Verify signature error and lets the handshake continue. This is correct behavior.