Bug ID 688571: Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile.

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3

Fixed In:
14.0.0, 13.1.0.4

Opened: Oct 12, 2017
Severity: 3-Major
Related AskF5 Article:
K40332712

Symptoms

If the server-ssl profile is configured with 'untrusted-cert-response-control drop', and the system receives the certificate from the backend server which is not trusted by current BIG-IP system, the expected behavior is that the system should end the connection. But the current server-side behavior is that the system still accepts the untrusted certificate and establishes the SSL connection with backend server.

Impact

Virtual server might communicate with the backend server that sends the untrusted certificate to the BIG-IP system. Untrusted cert could still be accepted by the server-ssl virtual server even though 'untrusted-cert-response-control drop' is configured in the server-ssl profile.

Conditions

-- The BIG-IP system receives a certificate from the backend server that is not trusted by the BIG-IP system. -- Configure the 'untrusted-cert-response-control drop' in the server-ssl profile. -- The corresponding server-ssl is configured at the virtual server.

Workaround

None.

Fix Information

When the system receives the untrusted certificate from backend server and the server-ssl profile is configured with 'untrusted-cert-response-control drop', the system will end the current SSL handshake procedure instead of continuing to proceed to finish it.

Behavior Change