Last Modified: Oct 10, 2018
See more info
Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 126.96.36.199, 188.8.131.52, 184.108.40.206
Opened: Oct 12, 2017
Related AskF5 Article: K40332712
If the server-ssl profile is configured with 'untrusted-cert-response-control drop', and the system receives the certificate from the backend server which is not trusted by current BIG-IP system, the expected behavior is that the system should end the connection. But the current server-side behavior is that the system still accepts the untrusted certificate and establishes the SSL connection with backend server.
Virtual server might communicate with the backend server that sends the untrusted certificate to the BIG-IP system. Untrusted cert could still be accepted by the server-ssl virtual server even though 'untrusted-cert-response-control drop' is configured in the server-ssl profile.
-- The BIG-IP system receives a certificate from the backend server that is not trusted by the BIG-IP system. -- Configure the 'untrusted-cert-response-control drop' in the server-ssl profile. -- The corresponding server-ssl is configured at the virtual server.
When the system receives the untrusted certificate from backend server and the server-ssl profile is configured with 'untrusted-cert-response-control drop', the system will end the current SSL handshake procedure instead of continuing to proceed to finish it.