Bug ID 1086473: BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake

Last Modified: Mar 01, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
17.0.0, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6,,,,,,

Opened: Mar 11, 2022

Severity: 3-Major


When a client attempts to resume the TLS session using the Session-ID in its Client Hello from a previous session, the BIG-IP agrees by using the same Session-ID in its Server Hello, but then proceeds to perform a full handshake (Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done) instead of an abbreviated handshake (Server Hello, Change Cipher Spec, Server Hello Done). This is a violation of the TLS RFC.


Client-side TLS session resumption not working.


- High availability (HA) pair of two BIG-IP units. - LTM virtual server with a client-ssl profile. - Mirroring enabled on the virtual server


Disable mirroring on the virtual server

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips