Bug ID 653976: SSL handshake fails if server certificate contains multiple CommonNames

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.1, 12.1.2, 12.1.3,,,, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,

Fixed In:

Opened: Mar 28, 2017

Severity: 3-Major

Related Article: K00610259


SSL server side handshake fails when the external server certificate's Subject field contains multiple CommonNames.


Connection with external server cannot be established. In case of forward proxy, bypass or intercept will fail.


This issue occurs when both of the following conditions are met: -- The external server certificate's Subject field contains multiple CommonNames. -- The certificate does not contain subjAltName extension (or if it does, the same names are not included in the subjAltName's dNSName list).


In case of forward proxy bypass, configure IP address bypass instead of hostname bypass since IP address bypass check happens before SSL handshake. The second option is to update the external server's certificate to include the list of CommonNames in subjAltName extension as dNSName.

Fix Information

The system now checks all CommonNames in a certificate's Subject field instead of checking only the longest one in length.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips