Bug ID 556117: client-ssl profile is case-sensitive when checking server_name extension

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:
12.1.0, 11.6.1 HF2, 11.5.4 HF3

Opened: Nov 04, 2015
Severity: 3-Major
Related AskF5 Article:
K13206013

Symptoms

The client-ssl profile is Case-Sensitive when configuring server-name in the client-ssl profiles and checking server_name extension in the ClientHello Message.

Impact

The system treats mixed upper-lower case server-name as different names which violate the RFC6066, which states: "Currently, the only server names supported are DNS hostnames. DNS hostnames are case-insensitive."

Conditions

When using mixed upper-lower case server-name in the client-ssl profile configuration and ClientHello messages.

Workaround

1. Configure only one client-ssl profile with same server-name. 2. Use only lower-case server-name when configure the client-ssl profile. 3. Use lower-case server-name in the Client side.

Fix Information

The system now treats mixed upper-lower case server-names as the same name, so server-name is no longer case sensitive.

Behavior Change