Bug ID 653976: SSL handshake fails if server certificate contains multiple CommonNames

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,

Fixed In:

Opened: Mar 28, 2017
Severity: 3-Major
Related AskF5 Article:


SSL server side handshake fails when the external server certificate's Subject field contains multiple CommonNames.


Connection with external server cannot be established. In case of forward proxy, bypass or intercept will fail.


This issue occurs when both of the following conditions are met: -- The external server certificate's Subject field contains multiple CommonNames. -- The certificate does not contain subjAltName extension (or if it does, the same names are not included in the subjAltName's dNSName list).


In case of forward proxy bypass, configure IP address bypass instead of hostname bypass since IP address bypass check happens before SSL handshake. The second option is to update the external server's certificate to include the list of CommonNames in subjAltName extension as dNSName.

Fix Information

The system now checks all CommonNames in a certificate's Subject field instead of checking only the longest one in length.

Behavior Change