Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6
Fixed In:
17.0.0, 16.1.3.1, 15.1.6.1
Opened: Sep 12, 2020 Severity: 2-Critical
In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used. The SSL handshake successfully completed even though the client certificate is revoked.
The handshake should fail but complete successfully
-- Dynamic CRL checking enabled on a client-ssl profile -- The client-side SSL handshake uses TLS1.3.
None
The issue was due to Dynamic CRL revocation check has not been integrated to TLS 1.3. After the Dynamic CRL checking is integrated to TLS 1.3, the TLS handshake will work as expected.