Bug ID 610323: LTM SSL supports Client Certificate Constrained Delegation

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Aug 11, 2016
Severity: 3-Major

Symptoms

LTM does not support SSLI Client Certificate Constrained Delegation Support (C3D).

Impact

No C3D support.

Conditions

Using LTM.

Workaround

None.

Fix Information

ProxySSL allows a client and server to perform mutual authentication. It supports RSA key exchange only and will not work with PFS. The C3D support allows servers that require authentication of the client certificate to work. Basically, C3D performs client authentication on the client side and then forges a client certificate on the server side if server requests a client certificate. C3D is disabled by default. Enabling C3D has a performance impact.

Behavior Change