Bug ID 644676: SAN with uppercase names result in case-sensitive match or will not match

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.3

Opened: Feb 13, 2017
Severity: 3-Major

Symptoms

SSL certificates with SAN domain names with uppercase characters will fail to match SNI requests for that domain name.

Impact

SNI does not match, resulting in the wrong certificate being returned to the client, which potentially results in a security warning in the client application due to a non-matching domain.

Conditions

Multiple client-ssl profiles configured with SNI associated with a single virtual where the SAN (Subject Alternative Name) contains DNS names with uppercase characters.

Workaround

Use lowercase characters for SAN domain names in SSL certificates.

Fix Information

SNI match is now case-insensitive.

Behavior Change