Bug ID 653976: SSL handshake fails if server certificate contains multiple CommonNames

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5

Fixed In:
14.0.0, 13.1.0.6, 12.1.3.4

Opened: Mar 28, 2017
Severity: 3-Major
Related AskF5 Article:
K00610259

Symptoms

SSL server side handshake fails when the external server certificate's Subject field contains multiple CommonNames.

Impact

Connection with external server cannot be established. In case of forward proxy, bypass or intercept will fail.

Conditions

This issue occurs when both of the following conditions are met: -- The external server certificate's Subject field contains multiple CommonNames. -- The certificate does not contain subjAltName extension (or if it does, the same names are not included in the subjAltName's dNSName list).

Workaround

In case of forward proxy bypass, configure IP address bypass instead of hostname bypass since IP address bypass check happens before SSL handshake. The second option is to update the external server's certificate to include the list of CommonNames in subjAltName extension as dNSName.

Fix Information

The system now checks all CommonNames in a certificate's Subject field instead of checking only the longest one in length.

Behavior Change