Bug ID 1036873: Pre-shared key extension sometimes is not the last extension in ClientHello in TLS1.3

Last Modified: Sep 23, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0

Opened: Jul 27, 2021
Severity: 3-Major

Symptoms

Under some conditions, the BIG-IP's TLS 1.3 Client Hello sometimes does not have the pre-shared key extension as the last extension in the Client Hello. This is contrary to a requirement in the TLS 1.3 RFC, and causes servers to fail the connection. A backend server may log a message such as: SSL_do_handshake() failed (SSL: error:141B306E:SSL routines:tls_collect_extensions:bad extension)

Impact

The TLS handshake fails.

Conditions

-- Server SSL profile (BIG-IP operating as client) with TLS 1.3 enabled. -- A Client Hello message size that falls between 256 and 512 bytes (without padding), which causes the BIG-IP to introduce a padding extension at the end of the Client Hello. This issue can be seen via use of the "single-dh-use" or "session-tickets" options in the SSL profile.

Workaround

Adjust the configuration of the Server SSL profile by either: -- Disable Session Tickets or -- Disable the single-dh-use option

Fix Information

None

Behavior Change