Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5
Fixed In:
14.0.0, 13.1.0.6
Opened: Oct 19, 2017 Severity: 3-Major
SSL forward proxy reuses the server ssl session when client ip, server ip and server port matches the ssl session. when multiple virtual https servers share the same ip address, it could happen server ssl reuse a session previously from other virtual server. in such a situation, client cannot forge certificate and hangs the ssh handshake.
client cannot access some https web server.
multiple virtual https servers share the same ip address, and they internally share the ssl sessions. we saw it happens in several google domain.
A workaround is disabling the "Session Ticket" in the server ssl profile, since we do not support session id resumption in the server ssl, this will cause it do full handshake to web server every time, so server_certchain will not be NULL.
it matches the client ip, server ip and port as well as the server name in the SNI to the server ssl session cache. it will not reuse the sessions does not match virtual server name after the fix.