Bug ID 2035177: Use of OCSP responder with SSL C3D enabled in virtual server may leak SSL handshake instances

Last Modified: Sep 04, 2025

Affected Product(s):
BIG-IP All(all modules)

Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.5.0, 17.5.1

Opened: Aug 20, 2025

Severity: 3-Major

Symptoms

SSL C3D with OCSP responder may cause SSL handshake instances to be leaked because of MPI dropping replies due to traffic bursts.

Impact

TMM ssl_hs_m memory usage grows over time, eventually causing memory pressure, and potentially a traffic disruption due to TMM restart.

Conditions

Traffic flows through a virtual server with C3D enabled, utilizing an OCSP responder to validate the status of the client's certificate.

Workaround

None

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips