Bug ID 1252093: BIG-IP userspace TLS stack now supports Extended Master Secret

Last Modified: Feb 07, 2025

Affected Product(s):
BIG-IP LTM(all modules)

Fixed In:
17.1.0.1

Opened: Feb 24, 2023

Severity: 3-Major

Symptoms

FIPS 140-3 certification now requires TLS to use the algorithm that computes the Extended Master Secret instead of the current algorithm computing the (legacy) Master Secret. If FIPS 140-3 license is not installed and an external TLS client does not support Extended Master secret, the handshake will downgrade to legacy Master Secret and continue without errors. If FIPS 140-3 license is enabled and any external TLS client did not support Extended Master Secret, the BIG-IP will no longer downgrade to legacy master secret and will instead, abort the handshake and report failure.

Impact

There is no impact to BIG-IP production traffic.

Conditions

[1] No conditions if FIPS 140-3 license is not installed. [2] If FIPS 140-3 license is installed and an external TLS client does not have extended master secret supported.

Workaround

None

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips