Bug ID 739379: Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:,,,,,,, 13.1.1,,, 14.0.0,,,,

Fixed In:

Opened: Aug 06, 2018

Severity: 3-Major


In situation where multiple SSL forward proxies are connected via virtual targeting, the SNI value extracted from ClientHello and saved in 1st layer of SSL forward proxy may get overwritten by the 2nd layer of SSL forward proxy. When this happens, certification verification will fail when 1st layer of SSL forward proxy attempts to validate certificate.


Client traffic gets random reset.


Two SSL forward proxies connected via virtual command in iRule.



Fix Information

The search scope of storing parsed SNI is now local to each SSL forward proxy.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips