Bug ID 1086473: BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake

Last Modified: Aug 01, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
17.0.0, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.5.1, 14.1.4.5, 14.1.4.4, 14.1.4.3, 14.1.4.2, 14.1.4.1

Opened: Mar 11, 2022
Severity: 3-Major

Symptoms

When a client attempts to resume the TLS session using the Session-ID in its Client Hello from a previous session, the BIG-IP agrees by using the same Session-ID in its Server Hello, but then proceeds to perform a full handshake (Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done) instead of an abbreviated handshake (Server Hello, Change Cipher Spec, Server Hello Done). This is a violation of the TLS RFC.

Impact

Client-side TLS session resumption not working.

Conditions

- High availability (HA) pair of two BIG-IP units. - LTM virtual server with a client-ssl profile. - Mirroring enabled on the virtual server

Workaround

Disable mirroring on the virtual server

Fix Information

None

Behavior Change