Bug ID 944381: Dynamic CRL checking for client certificate is not working when TLS1.3 is used.

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Opened: Sep 12, 2020
Severity: 2-Critical

Symptoms

In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used. The SSL handshake successfully completed even though the client certificate is revoked.

Impact

The handshake should fail but complete successfully

Conditions

-- Dynamic CRL checking enabled on a client-ssl profile -- The client-side SSL handshake uses TLS1.3.

Workaround

None

Fix Information

None

Behavior Change