Symptoms

In SSL Forward Proxy, the client side forges a server certificate and caches the forged cert for all server certificates passed the server side certificate validation including expired certificate.

Impact

The caching of the expired certificate may cause the SSL to use the expired certificate even when the backend server renew the certificate.

Conditions

In SSL Forward Proxy enabled server side profile, the 'server authentication' is set to required, and the 'expired certificate response control' is set to ignore. When the backend server certificate expired, the client side SSL will forge a certificate and cache the forged certificate.

Workaround

None

Fix Information

With this fix, SSL will no longer cache expired server certificate.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips