Bug ID 701147: ProxySSL does not work properly with Extended Master Secret and OCSP

Last Modified: Oct 16, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5

Fixed In:
14.0.0, 13.1.0.6

Opened: Jan 09, 2018

Severity: 3-Major

Related Article: K36563645

Symptoms

SSL handshake fails if the BIG-IP system is operating in ProxySSL mode, while client and server negotiate to use the Extended Master Secret and OCSP features together.

Impact

ProxySSL does not work properly with Extended Master Secret and OCSP simultaneously.

Conditions

1. Virtual server is configured to work in ProxySSL mode. 2. Client and server negotiate the SSL handshake with the Extended Master Secret. 3. Client and Server negotiate to use the OCSP.

Workaround

None.

Fix Information

Included the certificate status message in the calculation of Extended Master Secret.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips