Bug ID 1036873: Pre-shared key extension sometimes is not the last extension in ClientHello in TLS1.3

Last Modified: Apr 24, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,,,, 16.0.0,, 16.0.1,,, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,,,, 16.1.4,,,

Fixed In:

Opened: Jul 27, 2021

Severity: 3-Major


Under some conditions, the BIG-IP's TLS 1.3 Client Hello sometimes does not have the pre-shared key extension as the last extension in the Client Hello. This is contrary to a requirement in the TLS 1.3 RFC, and causes servers to fail the connection. A backend server may log a message such as: SSL_do_handshake() failed (SSL: error:141B306E:SSL routines:tls_collect_extensions:bad extension)


The TLS handshake fails.


-- Server SSL profile (BIG-IP operating as client) with TLS 1.3 enabled. -- A Client Hello message size that falls between 256 and 512 bytes (without padding), which causes the BIG-IP to introduce a padding extension at the end of the Client Hello. This issue can be seen via use of the "single-dh-use" or "session-tickets" options in the SSL profile.


Adjust the configuration of the Server SSL profile by either: -- Disable Session Tickets or -- Disable the single-dh-use option

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips