Operational Defect Database
BugZero found this defect 592 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
F5 | 891565
The Subject Alternative Name (SAN) field in Certificates and Certificate Signing Requests is limited to 4095 bytes
Last update date:
4/26/2024
Affected products:
BIG-IP
BIG-IP LTM
Affected releases:
12.1.2
12.1.3
12.1.3.1
12.1.3.2
12.1.3.3
12.1.3.4
12.1.3.5
12.1.3.6
12.1.3.7
12.1.4
12.1.4.1
12.1.5
Fixed releases:
No fixed releases provided.
Description:
Symptoms ... When creating a Certificate Signing Request (CSR) or when creating or using a Certificate (CRT), there is a limit of 4096 bytes in the Subject Alternative Names (SAN) field. ... Since one byte is reserved, the value entered into that field cannot exceed 4095 bytes. ... Note that if the SAN list is so long that it causes the entire SSL handshake (ie, all handshake messages combined) to exceed 32K, then the handshake will be aborted with the code "hs msg overflow" - see K40902150 for further details. ... Impact ... Very long SAN values cannot be used ... Conditions ... - Generation of a Certificate Signing Request with a large SAN list. ... (or) - Use of a client-ssl profile with a virtual server, where an associated certificate contains a large SAN field ... Workaround ... - Create multiple certificates, where each certificate has a sufficiently short SAN list, then create client-ssl profiles for each cert+key, then assign all of those profiles to the same virtual server...
