Bug ID 670011: SSL forward proxy does not create the server certchain when ignoring server certificates

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3

Fixed In:
13.1.0, 13.0.1, 12.1.3

Opened: Jun 20, 2017
Severity: 1-Blocking

Symptoms

Forward proxy not working correctly when the server certificates are ignored. SSL forward proxy does not create the server certchain when ignoring server certificates, this prevents the client side from trusting the server cert and the SSL handshake hangs and fails after timeout.

Impact

Client cannot establish SSL connection with server due to SSL handshake always timing out.

Conditions

-- SSL forward proxy or SSL intercept is configured. -- Ignore server certificate configured in the server SSL profile.

Workaround

None.

Fix Information

The system now generates the server certchain (even when the server SSL profile ignores server certificates) and passes it to the client SSL, so that the client SSL can forge the cert and finish the SSL handshake.

Behavior Change