Last Modified: Sep 25, 2024
Affected Product(s):
BIG-IP LTM
Fixed In:
17.1.0.1
Opened: Feb 24, 2023 Severity: 3-Major
FIPS 140-3 certification now requires OpenSSL to use the algorithm that computes the Extended Master Secret instead of the current algorithm computing the (legacy) Master Secret. If FIPS 140-3 license were not installed and an external OpenSSL client did not support Extended Master secret, the handshake will downgrade to legacy Master Secret and continue without errors. If FIPS 140-3 license is enabled and any external OpenSSL client did not support Extended Master Secret, OpenSSL will no longer downgrade to legacy master secret and will instead, abort the handshake and report failure.
There is no impact to BIG-IP production traffic.
[1] No conditions if FIPS 140-3 license is not installed. [2] If FIPS 140-3 license is installed and an external OpenSSL client did not have extended master secret supported.
None
None