Bug ID 610323: LTM SSL supports Client Certificate Constrained Delegation

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.1, 12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:

Opened: Aug 11, 2016

Severity: 3-Major


LTM does not support SSLI Client Certificate Constrained Delegation Support (C3D).


No C3D support.


Using LTM.



Fix Information

ProxySSL allows a client and server to perform mutual authentication. It supports RSA key exchange only and will not work with PFS. The C3D support allows servers that require authentication of the client certificate to work. Basically, C3D performs client authentication on the client side and then forges a client certificate on the server side if server requests a client certificate. C3D is disabled by default. Enabling C3D has a performance impact.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips