Last Modified: Feb 07, 2025
Affected Product(s):
BIG-IP LTM
Fixed In:
17.1.0.1
Opened: Feb 24, 2023 Severity: 3-Major
FIPS 140-3 certification now requires TLS to use the algorithm that computes the Extended Master Secret instead of the current algorithm computing the (legacy) Master Secret. If FIPS 140-3 license is not installed and an external TLS client does not support Extended Master secret, the handshake will downgrade to legacy Master Secret and continue without errors. If FIPS 140-3 license is enabled and any external TLS client did not support Extended Master Secret, the BIG-IP will no longer downgrade to legacy master secret and will instead, abort the handshake and report failure.
There is no impact to BIG-IP production traffic.
[1] No conditions if FIPS 140-3 license is not installed. [2] If FIPS 140-3 license is installed and an external TLS client does not have extended master secret supported.
None
None