Bug ID 670011: SSL forward proxy does not create the server certchain when ignoring server certificates

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.1, 12.1.2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3

Fixed In:
13.1.0, 13.0.1, 12.1.3

Opened: Jun 20, 2017

Severity: 1-Blocking

Symptoms

Forward proxy not working correctly when the server certificates are ignored. SSL forward proxy does not create the server certchain when ignoring server certificates, this prevents the client side from trusting the server cert and the SSL handshake hangs and fails after timeout.

Impact

Client cannot establish SSL connection with server due to SSL handshake always timing out.

Conditions

-- SSL forward proxy or SSL intercept is configured. -- Ignore server certificate configured in the server SSL profile.

Workaround

None.

Fix Information

The system now generates the server certchain (even when the server SSL profile ignores server certificates) and passes it to the client SSL, so that the client SSL can forge the cert and finish the SSL handshake.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips