Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Fixed In:
14.1.0
Opened: Dec 29, 2017 Severity: 3-Major
In SSL Forward Proxy, the client side forges a server certificate and caches the forged cert for all server certificates passed the server side certificate validation including expired certificate.
The caching of the expired certificate may cause the SSL to use the expired certificate even when the backend server renew the certificate.
In SSL Forward Proxy enabled server side profile, the 'server authentication' is set to required, and the 'expired certificate response control' is set to ignore. When the backend server certificate expired, the client side SSL will forge a certificate and cache the forged certificate.
None
With this fix, SSL will no longer cache expired server certificate.