Bug ID 700287: SSL Forward Proxy not to cache expired server certificate

Last Modified: Feb 05, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Fixed In:

Opened: Dec 29, 2017

Severity: 3-Major


In SSL Forward Proxy, the client side forges a server certificate and caches the forged cert for all server certificates passed the server side certificate validation including expired certificate.


The caching of the expired certificate may cause the SSL to use the expired certificate even when the backend server renew the certificate.


In SSL Forward Proxy enabled server side profile, the 'server authentication' is set to required, and the 'expired certificate response control' is set to ignore. When the backend server certificate expired, the client side SSL will forge a certificate and cache the forged certificate.



Fix Information

With this fix, SSL will no longer cache expired server certificate.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips