OPERATIONAL DEFECT DATABASE
...
...
The default CA certificate bundle file used by the system contains some older certificates, e.g., expired or soon-to-be expired.
When the built-in trusted certificates are obsolete, i.e., containing a certain number of expired certificates, the systems might fail to verify peers certificate correctly.
If the default CA certificate bundle file is configured in SSL profiles, it is used as a set of built-in trusted certificates when verifying peer's certificate during SSL handshake.
You can either directly update the default CA certificate bundle file /config/ssl/ssl.crt/ca-bundle.crt with proper certificates and then 'bigstart restart tmm' Alternatively, you can use a separate certificate, for example: tmsh install sys crypto cert better_ca_bundle from-local-file /shared/better_ca_bundle.pem tmsh modify ltm profile client-ssl cssl ca-file better_ca_bundle.crt
This release updates the default CA certificate bundle file by adding the latest certificates and removing the expired certificates.
F5 Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
