Bug ID 1284993: TLS extensions which are configured after session_ticket are not parsed from Client Hello messages

Last Modified: Mar 30, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5

Fixed In:
17.1.1, 16.1.4

Opened: Apr 05, 2023

Severity: 3-Major

Symptoms

When the client Hello message contains session_ticket extension, it was observed that the extensions which are configured after the session ticket extension were not processed and all the extensions are being ignored.

Impact

A few requests are not forwarded correctly, for example, in scenario where server_name extension is configured after session_ticket but due to the current issue, [SSL::extensions exists -type 0] is returning 0 even though the server_name extension is present in Client Hello.

Conditions

Configure SSL extensions along with session_ticket extension.

Workaround

Configure all the required extensions before the session_ticket extension.

Fix Information

TLS extensions which are configured after session_ticket are not parsed from Client Hello messages. Changes have been made in such a way that ext_sz variable which holds the size of all the extns configured in client Hello message is not limited to SSL_SZ_SESSIONID which is 32 bytes.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips