Last Modified: May 14, 2019
See more info
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 18.104.22.168, 22.214.171.124, 126.96.36.199, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124
14.0.0, 126.96.36.199, 188.8.131.52
Opened: Mar 28, 2017
Related AskF5 Article: K00610259
SSL server side handshake fails when the external server certificate's Subject field contains multiple CommonNames.
Connection with external server cannot be established. In case of forward proxy, bypass or intercept will fail.
This issue occurs when both of the following conditions are met: -- The external server certificate's Subject field contains multiple CommonNames. -- The certificate does not contain subjAltName extension (or if it does, the same names are not included in the subjAltName's dNSName list).
In case of forward proxy bypass, configure IP address bypass instead of hostname bypass since IP address bypass check happens before SSL handshake. The second option is to update the external server's certificate to include the list of CommonNames in subjAltName extension as dNSName.
The system now checks all CommonNames in a certificate's Subject field instead of checking only the longest one in length.