Bug ID 739379: Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4

Fixed In:
14.1.0, 14.0.0.5, 13.1.1.4

Opened: Aug 06, 2018

Severity: 3-Major

Symptoms

In situation where multiple SSL forward proxies are connected via virtual targeting, the SNI value extracted from ClientHello and saved in 1st layer of SSL forward proxy may get overwritten by the 2nd layer of SSL forward proxy. When this happens, certification verification will fail when 1st layer of SSL forward proxy attempts to validate certificate.

Impact

Client traffic gets random reset.

Conditions

Two SSL forward proxies connected via virtual command in iRule.

Workaround

None.

Fix Information

The search scope of storing parsed SNI is now local to each SSL forward proxy.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips