Bug ID 774913: IP-based bypass can fail if SSL ClientHello is not accepted

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2

Fixed In:
15.1.0, 15.0.1.3, 14.1.2.1

Opened: Apr 20, 2019

Severity: 2-Critical

Symptoms

IP-based bypass can fail for SSL stream if the client sends a ClientHello that is not accepted by the BIP-IP system.

Impact

Connection drop.

Conditions

Client's SSL ClientHello message is not accepted by the BIG-IP system.

Workaround

None.

Fix Information

Check SSL bypass policy before parsing ClientHello message.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips