Bug ID 688140: Forward Proxy SSL server side may send a wrong SNI extension when the client does not send one

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1

Fixed In:
14.0.0

Opened: Oct 11, 2017

Severity: 3-Major

Symptoms

Forward Proxy SSL at server side may send a wrong SNI extension when the client does not send one in its Client Hello message.

Impact

The server side of the proxy will use a wrong SNI in SSL handshake.

Conditions

Forward Proxy SSL when the client does not send SNI extension in ClientHello, the server side will send a wrong SNI extension in its ClientHello.

Workaround

There is no workaround.

Fix Information

The server side will not send SNI extension in ClientHello if the client does not send one in its ClientHello.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips