Forum Discussion

Rooti's avatar
Rooti
Icon for Altostratus rankAltostratus
Aug 09, 2023

Bug ID 878641: "TLS1.3 certificate request message does not contain CAs" not fixed?

BigIP Version: 16.1.3.3

Hello community,

when trying to configure Client-Certificate-Authentication in a clientssl-profile with "Advertised Certificate Authorities" we found that with TLS1.3 the list is empty:

openssl s_client
=> No client certificate CA names sent
when using TLS1.2 it works:
=> Acceptable client certificate CA names
<list of CAs>

This looks exactly like https://cdn.f5.com/product/bugtracker/ID878641.html which lists just 15.x as affected and as fixed. Our box uses 16.1.3.3.
Could someone explain what that means? Versions 16.x are not known to be affected or "should" be fixed in 16.x as well? The KB https://my.f5.com/manage/s/article/K07245790 lists all versions as affected, however.

Can someone confirm the bug in versions 16.x?

Thanks!

5 Replies

    • Thanks Rooti for coming back and closing the loop on this one. 
      Especially after such a long time - really an invaluable service to all the members who'll come here after this.

      Cheers

  • Rooti The easiest way to see if a bug exists for your device and the configuration it is running is to create a QKVIEW and upload it to iHealth. This could be a similar bug but slightly different so it has a different bug ID but this would absolutely show up in iHealth when you upload the QKVIEW.

    • Rooti's avatar
      Rooti
      Icon for Altostratus rankAltostratus

      PauliusThanks for the good advice. iHealth lists no Bugs regarding TLS1.3.

  • Rooti  - If your post was solved it would be helpful to the community to select *Accept As Solution*.
    Thanks for being part of our community.