BigIP Version: 16.1.3.3Hello community,when trying to configure Client-Certificate-Authentication in a clientssl-profile with "Advertised Certificate Authorities" we found that with TLS1.3 the list is empty:openssl s_client=> No client certificate CA names sentwhen using TLS1.2 it works:=> Acceptable client certificate CA names<list of CAs>This looks exactly like https://cdn.f5.com/product/bugtracker/ID878641.html which lists just 15.x as affected and as fixed. Our box uses 16.1.3.3.Could someone explain what that means? Versions 16.x are not known to be affected or "should" be fixed in 16.x as well? The KB https://my.f5.com/manage/s/article/K07245790 lists all versions as affected, however.Can someone confirm the bug in versions 16.x?Thanks!

Forum Discussion

Altostratus

Aug 09, 2023

Bug ID 878641: "TLS1.3 certificate request message does not contain CAs" not fixed?

BigIP Version: 16.1.3.3

Hello community,

when trying to configure Client-Certificate-Authentication in a clientssl-profile with "Advertised Certificate Authorities" we found that with TLS1.3 the list is empty:

openssl s_client
=> No client certificate CA names sent
when using TLS1.2 it works:
=> Acceptable client certificate CA names
<list of CAs>

This looks exactly like https://cdn.f5.com/product/bugtracker/ID878641.html which lists just 15.x as affected and as fixed. Our box uses 16.1.3.3.
Could someone explain what that means? Versions 16.x are not known to be affected or "should" be fixed in 16.x as well? The KB https://my.f5.com/manage/s/article/K07245790 lists all versions as affected, however.

Can someone confirm the bug in versions 16.x?

Thanks!

application delivery

Rooti
Mar 27, 2024
Finally, i can answer to myself:
The updated version of the Bug shows, that F5 didn't provide the right info:
https://cdn.f5.com/product/bugtracker/ID878641.html

Affected versions still without the 16.x tree, but "Fixed in" 16.1.4.
And i can confirm the bug is fixed in our 16.1.4.

Rooti
Altostratus
Mar 27, 2024
Finally, i can answer to myself:
The updated version of the Bug shows, that F5 didn't provide the right info:
https://cdn.f5.com/product/bugtracker/ID878641.html

Affected versions still without the 16.x tree, but "Fixed in" 16.1.4.
And i can confirm the bug is fixed in our 16.1.4.
- LiefZimmerman
  Admin
  Mar 27, 2024
  Thanks Rooti for coming back and closing the loop on this one.
  Especially after such a long time - really an invaluable service to all the members who'll come here after this.
  
  Cheers
Paulius
MVP
Aug 09, 2023
Rooti The easiest way to see if a bug exists for your device and the configuration it is running is to create a QKVIEW and upload it to iHealth. This could be a similar bug but slightly different so it has a different bug ID but this would absolutely show up in iHealth when you upload the QKVIEW.
- Rooti
  Altostratus
  Aug 09, 2023
  PauliusThanks for the good advice. iHealth lists no Bugs regarding TLS1.3.
LiefZimmerman
Admin
Aug 28, 2023
Rooti - If your post was solved it would be helpful to the community to select *Accept As Solution*.
Thanks for being part of our community.