Bug ID 700287: SSL Forward Proxy not to cache expired server certificate

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Fixed In:
14.1.0

Opened: Dec 29, 2017
Severity: 3-Major

Symptoms

In SSL Forward Proxy, the client side forges a server certificate and caches the forged cert for all server certificates passed the server side certificate validation including expired certificate.

Impact

The caching of the expired certificate may cause the SSL to use the expired certificate even when the backend server renew the certificate.

Conditions

In SSL Forward Proxy enabled server side profile, the 'server authentication' is set to required, and the 'expired certificate response control' is set to ignore. When the backend server certificate expired, the client side SSL will forge a certificate and cache the forged certificate.

Workaround

None

Fix Information

With this fix, SSL will no longer cache expired server certificate.

Behavior Change