Bug ID 944381: Dynamic CRL checking for client certificate is not working when TLS1.3 is used.

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6

Fixed In:
17.0.0, 16.1.3.1, 15.1.6.1

Opened: Sep 12, 2020

Severity: 2-Critical

Symptoms

In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used. The SSL handshake successfully completed even though the client certificate is revoked.

Impact

The handshake should fail but complete successfully

Conditions

-- Dynamic CRL checking enabled on a client-ssl profile -- The client-side SSL handshake uses TLS1.3.

Workaround

None

Fix Information

The issue was due to Dynamic CRL revocation check has not been integrated to TLS 1.3. After the Dynamic CRL checking is integrated to TLS 1.3, the TLS handshake will work as expected.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips