Last Modified: Jun 28, 2025
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
17.1.2, 17.1.2.1, 17.1.2.2
Fixed In:
17.5.1
Opened: Feb 03, 2025 Severity: 3-Major
When FIPS license is installed, OpenSSL enforces Extended Master Secret (EMS) to its peer clients. If a legacy TLS/SSL client does not provide EMS in its ClientHello extension, OpenSSL server merely aborts the handshake without sending a Fatal Handshake Alert message to the client. As a result, the reason for handshake abort is not clear.
Absence of explicit log message results in some confusion as to what the error was when the handshake terminated.
1. FIPS license is installed on the BIG-IP Device 2. HTTPD server running on the BIG-IP device is linked with libssl.{so, a} 3. An attempt is made to contact the WebUI from a legacy browser that did not have support for EMS (or alternatively, from a service that did not advertise EMS support)
None
A log message indicating a Fatal Handshake Message alert will be added. Then, whenever a legacy TLS/SSL client failed to provide the Extended Master Secret in its ClientHello message to the BIG-IP device with FIPS license installed, an error will be logged as the handshake aborts. This will inform the user the reason for the handshake termination.