Bug ID 2141297

Bug Tracker
ID 2141297

Bug ID 2141297: In TLSv1.3, BIG-IP enforces the use of FFDHE key share if it is preferred over other DH groups

Last Modified: Nov 25, 2025

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
17.1.3, 17.5.1.3, 21.0.0

Opened: Oct 31, 2025

Severity: 3-Major

Symptoms

The BIG-IP system sends back an FFDHE key share that forces the client to also use FFDHE, even if the client sent a key share that is still acceptable to the BIG-IP.

Impact

Clients are forced to use the FFDHE group for its key share even if the client sent a key share that is still acceptable to the BIG-IP

Conditions

The BIG-IP system is configured to prefer an FFDHE DH group and the client sends the same FFDHE DH group as supported but sends a key share for a different DH group.

Workaround

Either remove the FFDHE groups, or reorder DH group preferences so that FFDHE groups are not preferred over other groups.

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips