Bug ID 688140: Forward Proxy SSL server side may send a wrong SNI extension when the client does not send one

Last Modified: May 01, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5

Fixed In:
14.0.0

Opened: Oct 11, 2017
Severity: 3-Major

Symptoms

Forward Proxy SSL at server side may send a wrong SNI extension when the client does not send one in its Client Hello message.

Impact

The server side of the proxy will use a wrong SNI in SSL handshake.

Conditions

Forward Proxy SSL when the client does not send SNI extension in ClientHello, the server side will send a wrong SNI extension in its ClientHello.

Workaround

There is no workaround.

Fix Information

The server side will not send SNI extension in ClientHello if the client does not send one in its ClientHello.

Behavior Change