Bug ID 1086473: BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake

Last Modified: Jan 10, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
17.0.0, 16.1.1, 16.1.0, 16.0.1, 16.0.0,,,,,,

Opened: Mar 11, 2022
Severity: 3-Major


When a client attempts to resume the TLS session using the Session-ID in its Client Hello from a previous session, the BIG-IP agrees by using the same Session-ID in its Server Hello, but then proceeds to perform a full handshake (Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done) instead of an abbreviated handshake (Server Hello, Change Cipher Spec, Server Hello Done). This is a violation of the TLS RFC.


Client-side TLS session resumption not working.


- High availability (HA) pair of two BIG-IP units. - LTM virtual server with a client-ssl profile. - Mirroring enabled on the virtual server


Disable mirroring on the virtual server

Fix Information


Behavior Change