Bug ID 583272: "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3

Fixed In:
13.1.0, 13.0.1, 12.1.3, 11.6.2

Opened: Mar 25, 2016
Severity: 3-Major
Related AskF5 Article:
K11736022

Symptoms

Browser shows a "corrupted connect error" when access policy runs On-Demand Cert Auth on an IPv6 virtual server. The root cause is that in packet capture, the APM sends an HTTP 302 with invalid brackets around the hostname, like this: Location: https://[login.example.com]/my.policy Brackets around IPv6 addresses are for raw IPv6 addresses. They are illegal for DNS names that represent an IPv6 address.

Impact

Client is unable to authenticate.

Conditions

IPv6 virtual server, and On-Demand Cert Auth in the access policy. Only applies if a DNS hostname is used. Raw IPv6 addresses are not affected.

Workaround

None.

Fix Information

Clients connecting to an APM access policy with on-demand certificate authentication to an IPv6 virtual server now transmit the client certificate correctly when executing the access policy.

Behavior Change