Bug ID 1036873: Pre-shared key extension sometimes is not the last extension in ClientHello in TLS1.3

Last Modified: Dec 18, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3

Fixed In:
17.0.0, 16.1.5

Opened: Jul 27, 2021

Severity: 3-Major

Symptoms

Under some conditions, the BIG-IP's TLS 1.3 Client Hello sometimes does not have the pre-shared key extension as the last extension in the Client Hello. This is contrary to a requirement in the TLS 1.3 RFC, and causes servers to fail the connection. A backend server may log a message such as: SSL_do_handshake() failed (SSL: error:141B306E:SSL routines:tls_collect_extensions:bad extension)

Impact

The TLS handshake fails.

Conditions

-- Server SSL profile (BIG-IP operating as client) with TLS 1.3 enabled. -- A Client Hello message size that falls between 256 and 512 bytes (without padding), which causes the BIG-IP to introduce a padding extension at the end of the Client Hello. This issue can be seen via use of the "single-dh-use" or "session-tickets" options in the SSL profile.

Workaround

Adjust the configuration of the Server SSL profile by either: -- Disable Session Tickets or -- Disable the single-dh-use option

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips