Bug ID 556117: client-ssl profile is case-sensitive when checking server_name extension

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP All(all modules)

Known Affected Versions:
11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.1.0, 11.6.1 HF2, 11.5.4 HF3

Opened: Nov 04, 2015

Severity: 3-Major

Related Article: K13206013

Symptoms

The client-ssl profile is Case-Sensitive when configuring server-name in the client-ssl profiles and checking server_name extension in the ClientHello Message.

Impact

The system treats mixed upper-lower case server-name as different names which violate the RFC6066, which states: "Currently, the only server names supported are DNS hostnames. DNS hostnames are case-insensitive."

Conditions

When using mixed upper-lower case server-name in the client-ssl profile configuration and ClientHello messages.

Workaround

1. Configure only one client-ssl profile with same server-name. 2. Use only lower-case server-name when configure the client-ssl profile. 3. Use lower-case server-name in the Client side.

Fix Information

The system now treats mixed upper-lower case server-names as the same name, so server-name is no longer case sensitive.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips