Bug ID 553614: Modification to parent clientssl CKC does not consistently reflected in the child clientssl profile

Last Modified: Jan 01, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Fixed In:
12.0.0, 11.6.1 HF1, 11.5.4 HF2

Opened: Oct 21, 2015
Severity: 4-Minor

Symptoms

If cert is modified in the parent client-ssl profile, and inherit-certkeychain is set TRUE in the child client-ssl profile, the system adds the parent CKC(cert-key-chain) to the client-ssl profile instead of changing it to the same value as the parents.

Impact

Parent cert-key-chain is added to the client-ssl profile instead of changing it to the same value as the parent's value. Certificate validation can fail if it is not in the chain.

Conditions

1. Set inherit-certkeychain to TRUE in the child client-ssl profile. 2. Change the Parent CKC value.

Workaround

You can use either of the following workarounds: -- Manually fix the CKC of child client-ssl profile. -- Set 'inherit-certkeychain = False' in the client-ssl profile.

Fix Information

None

Behavior Change