Bug ID 944381: Dynamic CRL checking for client certificate is not working when TLS1.3 is used.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3

Fixed In:
17.0.0, 16.1.3.1, 15.1.6.1

Opened: Sep 12, 2020
Severity: 2-Critical

Symptoms

In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used. The SSL handshake successfully completed even though the client certificate is revoked.

Impact

The handshake should fail but complete successfully

Conditions

-- Dynamic CRL checking enabled on a client-ssl profile -- The client-side SSL handshake uses TLS1.3.

Workaround

None

Fix Information

The issue was due to Dynamic CRL revocation check has not been integrated to TLS 1.3. After the Dynamic CRL checking is integrated to TLS 1.3, the TLS handshake will work as expected.

Behavior Change