Last Modified: Jul 13, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5
Fixed In:
14.0.0, 13.1.0.6, 12.1.3.4
Opened: Mar 28, 2017 Severity: 3-Major Related Article:
K00610259
SSL server side handshake fails when the external server certificate's Subject field contains multiple CommonNames.
Connection with external server cannot be established. In case of forward proxy, bypass or intercept will fail.
This issue occurs when both of the following conditions are met: -- The external server certificate's Subject field contains multiple CommonNames. -- The certificate does not contain subjAltName extension (or if it does, the same names are not included in the subjAltName's dNSName list).
In case of forward proxy bypass, configure IP address bypass instead of hostname bypass since IP address bypass check happens before SSL handshake. The second option is to update the external server's certificate to include the list of CommonNames in subjAltName extension as dNSName.
The system now checks all CommonNames in a certificate's Subject field instead of checking only the longest one in length.