Bug ID 694778: Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8

Fixed In:
14.0.0, 13.1.1, 12.1.3.5

Opened: Nov 15, 2017

Severity: 3-Major

Symptoms

SSO-enabled Native RDP resources cannot be accessed via hardware (HW) BIG-IP systems with 'Intel Cave Creek' coprocessor (i.e., SSL connection cannot be established with the db variable 'crypto.hwacceleration' enabled, and RSA key used).

Impact

-- SSL connection fails. -- RDP client cannot launch the requested resource (desktop/application).

Conditions

The failure might occur in the following scenario: -- Running on Intel Cave Creek Engine (e.g., BIG-IP 2000 (C112) or 4000 (C113)). -- Client OS is Mac, iOS, or Android. -- HW crypto is enabled -- Using a virtual server with a client SSL profile and 2048 bit RSA key on. -- Native RDP resource with enabled SSO is used on hardware BIG-IP with 'Intel Cave Creek' coprocessor. -- Output buffer size differs from RSA private key size.

Workaround

There is no workaround other than to disable crypto HW acceleration with following command: tmsh modify sys db crypto.hwacceleration value disable

Fix Information

SSL connection can now be established as expected. SSO-enabled Native RDP resources now can now be accessed via hardware BIG-IP systems with 'Intel Cave Creek' coprocessor (e.g., BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS, and Android clients.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips