Bug ID 688571: Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile.

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3

Fixed In:
14.0.0, 13.1.0.4

Opened: Oct 12, 2017

Severity: 3-Major

Related Article: K40332712

Symptoms

If the server-ssl profile is configured with 'untrusted-cert-response-control drop', and the system receives the certificate from the backend server which is not trusted by current BIG-IP system, the expected behavior is that the system should end the connection. But the current server-side behavior is that the system still accepts the untrusted certificate and establishes the SSL connection with backend server.

Impact

Virtual server might communicate with the backend server that sends the untrusted certificate to the BIG-IP system. Untrusted cert could still be accepted by the server-ssl virtual server even though 'untrusted-cert-response-control drop' is configured in the server-ssl profile.

Conditions

-- The BIG-IP system receives a certificate from the backend server that is not trusted by the BIG-IP system. -- Configure the 'untrusted-cert-response-control drop' in the server-ssl profile. -- The corresponding server-ssl is configured at the virtual server.

Workaround

None.

Fix Information

When the system receives the untrusted certificate from backend server and the server-ssl profile is configured with 'untrusted-cert-response-control drop', the system will end the current SSL handshake procedure instead of continuing to proceed to finish it.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips