Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6
Opened: Jan 22, 2019 Severity: 2-Critical
An SSLo performance drop of approximately 20% is seen when using untrusted certificates, as they are no longer cached. Previously, SSL forward proxy cached forged server certs on the client side even if the server cert was untrusted. Now, SSL forward proxy does not cache the forged cert if the server cert is untrusted.
You might notice a performance impact compared with previous releases. This impact is only seen in SSLo tests - forward proxy results are not impacted.
The Server Certificate check feature is enabled, SSL forward proxy is enabled, and the server certificate is untrusted.
None.
None
Previously, SSL forward proxy cached forged server certs on the client side even if the server cert was untrusted. Now, SSL forward proxy does not cache the forged cert if the server cert is untrusted. As a result, you might notice slower performance in this release under these conditions.