Bug ID 648700: Verification of peer certificate chain may return incorrect result.

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP All(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:

Opened: Mar 02, 2017

Severity: 3-Major


When a certificate chain is made up of multiple certificates, the verification of the chain may be wrong.


When the condition matches, the 'SSL::verify_result' may return the wrong result.


This happens when the 'untrusted-cert-response-control' and 'expire-cert-response-control' are both set to 'ignore' on server SSL profile, and 'sys db tmm.ssl.servercert_softval' is 'enable'.



Fix Information

'SSL::verify_result' returns the correct result.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips