Bug ID 964673: CRL with duplicate entries is allowed to be uploaded, but later unable to pass traffic due to 'invalid profile'

Last Modified: Sep 14, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,, 16.0.1,,

Opened: Nov 13, 2020

Severity: 3-Major


A CRL containing a duplicate entry is allowed to be uploaded and attached to a SSL profile (and later attached to a virtual server), causing the virtual server to not process traffic due to 'invalid profile'. A log such as below is seen on LTM logs: warning tmm1[3543]: 01260009:4: -> Connection error: hud_ssl_handler:1216: alert(40) invalid profile unknown on VIP /Common/vip-01 The 'invalid profile' message is seen in the LTM log but only after the CRL is attached to the SSL profile and the SSL profile attached to the virtual server, and not when initially uploading the CRL or attaching the CRL to the SSL profile.


Traffic disrupted on the virtual server.


CRL containing duplicate entry.


Don't upload a CRL containing duplicate entries.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips